guerrilla | 85f9e216a24dd777f8e4b7db008128d402355eb93a316fa6ba6c6d8392720a19

Analysis

max time kernel
379s
max time network
380s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
11/03/2025, 18:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MegaHack v5.4 SETUP.exe
Size

14.6MB
MD5

21f8588ba383393390d76ca642d73183
SHA1

292d500d0ab46c701b33a93284e99a5144078be6
SHA256

85f9e216a24dd777f8e4b7db008128d402355eb93a316fa6ba6c6d8392720a19
SHA512

6426425fcf4ca0ae1ebfbc5b1b91f86a4b9a1bb7a9dc1f648879d3f810c1e5a36d0f3b56effe1f204d0e1847eb93b0ca00fd7c5c2899a8097268f9eddfcbcbd0
SSDEEP

393216:mEGDkj4i79yFTB3HWNmHrjAbh6pBKzd25iFsmF5cISZH:mnA/EFTB3RHyzQxmF5C

Score

10^/10

guerrilla otpstealer defense_evasion discovery execution exploit infostealer persistence privilege_escalation rat spyware trojan

Malware Config

Signatures

Guerrilla
Guerrilla is an Android malware used by the Lemon Group threat actor.
trojan infostealer rat guerrilla
Guerrilla family
guerrilla

Guerrilla payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0001000000000133-1723.dat	family_guerrilla

Otpstealer
Otpstealer is an Android SMS Stealer that targets OTP first seen in February 2022.
trojan infostealer spyware otpstealer
Otpstealer family
otpstealer

Otpstealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0001000000000133-1723.dat	family_otpstealer

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
133	2660	chrome.exe

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustInit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert"	regsvr32.exe

Possible privilege escalation attempt 14 IoCs

exploit

pid	Process
2128	takeown.exe
5512	takeown.exe
5676	icacls.exe
4900	icacls.exe
5212	takeown.exe
5720	icacls.exe
4468	icacls.exe
6484	takeown.exe
6536	icacls.exe
6588	takeown.exe
3548	icacls.exe
1720	takeown.exe
4560	takeown.exe
5856	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 21 IoCs

pid	Process
112	MegaHack v5.4 SETUP.tmp
5412	LDPlayer9_ens_1001_ld.exe
2556	LDPlayer.exe
1256	dnrepairer.exe
5736	Ld9BoxSVC.exe
4900	driverconfig.exe
5132	dnplayer.exe
2180	Ld9BoxSVC.exe
5564	vbox-img.exe
5660	vbox-img.exe
5456	vbox-img.exe
6004	Ld9BoxHeadless.exe
5664	Ld9BoxHeadless.exe
5632	Ld9BoxHeadless.exe
2184	Ld9BoxHeadless.exe
704	Ld9BoxHeadless.exe
6220	dnrepairer.exe
6420	regsvr32_x86.exe
3612	Ld9BoxSVC.exe
6860	NetLwfUninstall.exe
6796	Ld9BoxSVC.exe

Loads dropped DLL 64 IoCs

pid	Process
1256	dnrepairer.exe
1256	dnrepairer.exe
1256	dnrepairer.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5736	Ld9BoxSVC.exe
5832	regsvr32.exe
5832	regsvr32.exe
5832	regsvr32.exe
5832	regsvr32.exe
5832	regsvr32.exe
5832	regsvr32.exe
5832	regsvr32.exe
5832	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5828	regsvr32.exe
5804	regsvr32.exe
5804	regsvr32.exe
5804	regsvr32.exe
5804	regsvr32.exe
5804	regsvr32.exe
5804	regsvr32.exe
5804	regsvr32.exe
5804	regsvr32.exe
5848	regsvr32.exe
5848	regsvr32.exe
5848	regsvr32.exe
5848	regsvr32.exe
5848	regsvr32.exe
5848	regsvr32.exe
5848	regsvr32.exe
5848	regsvr32.exe
4900	driverconfig.exe
4900	driverconfig.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe
5132	dnplayer.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3548	icacls.exe
5512	takeown.exe
5676	icacls.exe
4900	icacls.exe
4560	takeown.exe
5856	icacls.exe
5212	takeown.exe
6536	icacls.exe
6588	takeown.exe
1720	takeown.exe
5720	icacls.exe
2128	takeown.exe
4468	icacls.exe
6484	takeown.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	LDPlayer.exe
File opened (read-only)	\??\F:	takeown.exe
File opened (read-only)	\??\F:	takeown.exe
File opened (read-only)	\??\F:	takeown.exe
File opened (read-only)	\??\F:	dnplayer.exe
File opened (read-only)	\??\F:	takeown.exe
File opened (read-only)	\??\F:	takeown.exe
File opened (read-only)	\??\F:	LDPlayer9_ens_1001_ld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
422	discord.com
438	discord.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-process-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libssl-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxProxyStubLegacy.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDDU.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxTestOGL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qminimal.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\UICommon.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTIsoMaker.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5PrintSupport.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDbg.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_CM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxExtPackHelperApp.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\INF\oem0.PNF	NetLwfUninstall.exe
File created	C:\Windows\INF\oem1.PNF	NetLwfUninstall.exe
File created	C:\Windows\INF\oem2.PNF	NetLwfUninstall.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6844	sc.exe
5964	sc.exe
4900	sc.exe
6768	sc.exe
2556	sc.exe
6892	sc.exe
2204	sc.exe
5128	sc.exe
4436	sc.exe
5996	sc.exe
5688	sc.exe
1624	sc.exe
864	sc.exe
5200	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MegaHack v5.4 SETUP.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_1001_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1156	systeminfo.exe
3036	systeminfo.exe
7132	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "80"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133861908307998450"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0D96-40ED-AE46-A564D484325E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-32E7-4F6C-85EE-422304C71B90}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}\ = "ISnapshotRestoredEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2354-4267-883F-2F417D216519}\ = "IVetoEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-808E-11E9-B773-133D9330F849}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5637-472A-9736-72019EABD7DE}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414b-bd16-77df7ba3451e}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ = "IEvent"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7708-444B-9EEF-C116CE423D39}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\ = "IGuestSessionStateChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\ = "IGuestDirectory"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5637-472A-9736-72019EABD7DE}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-a227-4f23-8278-2f675eea1bb2}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\ = "ISnapshotChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\ProgId	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\NumMethods\ = "18"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6FA-430E-6020-6A505D086387}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\NumMethods\ = "15"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DAD4-4496-85CF-3F76BCB3B5FA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-477A-2497-6759-88B8292A5AF0}\ = "IEmulatedUSB"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7966-481D-AB0B-D0ED73E28135}\NumMethods\ = "14"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\NumMethods\ = "26"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}\NumMethods\ = "18"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\ = "ISnapshotEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
4900	chrome.exe
5412	LDPlayer9_ens_1001_ld.exe
5412	LDPlayer9_ens_1001_ld.exe
5412	LDPlayer9_ens_1001_ld.exe
5412	LDPlayer9_ens_1001_ld.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
1256	dnrepairer.exe
1256	dnrepairer.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
2556	LDPlayer.exe
2556	LDPlayer.exe
5412	LDPlayer9_ens_1001_ld.exe
5412	LDPlayer9_ens_1001_ld.exe
5424	msedge.exe
5424	msedge.exe
5108	msedge.exe
5108	msedge.exe
912	msedge.exe
912	msedge.exe
6664	identity_helper.exe
6664	identity_helper.exe
6848	msedge.exe
6848	msedge.exe
5132	dnplayer.exe
5132	dnplayer.exe
6220	dnrepairer.exe
6220	dnrepairer.exe
7060	powershell.exe
7060	powershell.exe
7060	powershell.exe
1072	powershell.exe
1072	powershell.exe
1072	powershell.exe
6460	powershell.exe
6460	powershell.exe
6460	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5132	dnplayer.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
5132	dnplayer.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5132	dnplayer.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
5132	dnplayer.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5132	dnplayer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
896	MiniSearchHost.exe
5412	LDPlayer9_ens_1001_ld.exe
2556	LDPlayer.exe
1256	dnrepairer.exe
5736	Ld9BoxSVC.exe
4900	driverconfig.exe
5628	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 112	3932	MegaHack v5.4 SETUP.exe	78
PID 3932 wrote to memory of 112	3932	MegaHack v5.4 SETUP.exe	78
PID 3932 wrote to memory of 112	3932	MegaHack v5.4 SETUP.exe	78
PID 4604 wrote to memory of 4764	4604	chrome.exe	82
PID 4604 wrote to memory of 4764	4604	chrome.exe	82
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 1572	4604	chrome.exe	83
PID 4604 wrote to memory of 2660	4604	chrome.exe	84
PID 4604 wrote to memory of 2660	4604	chrome.exe	84
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85
PID 4604 wrote to memory of 4704	4604	chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\MegaHack v5.4 SETUP.exe
"C:\Users\Admin\AppData\Local\Temp\MegaHack v5.4 SETUP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\is-QTBVQ.tmp\MegaHack v5.4 SETUP.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QTBVQ.tmp\MegaHack v5.4 SETUP.tmp" /SL5="$6030A,15016215,57856,C:\Users\Admin\AppData\Local\Temp\MegaHack v5.4 SETUP.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0dbacc40,0x7ffe0dbacc4c,0x7ffe0dbacc58
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1392,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5260,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5380,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5392,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5480,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5644 /prefetch:2
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4272,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4280 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3804,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4320 /prefetch:1
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5428,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5184,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2408 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5272,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3348,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5888,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5912,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6224,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6232,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6212,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5176,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6188,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5896,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=6324,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5192,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6580,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7020,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7036 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=8040,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7420,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=8140 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=8036,i,11743565324038717145,13533642368359657161,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:1000
- C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5412
- - F:\LDPlayer\LDPlayer9\LDPlayer.exe
    "F:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="F:\LDPlayer\LDPlayer9\"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2556
  - - F:\LDPlayer\LDPlayer9\dnrepairer.exe
      "F:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=328450
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1256
    - - C:\Windows\SysWOW64\net.exe
        
        "net" start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3884
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Softpub.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5452
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Wintrust.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5484
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" dssenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" rsaenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" cryptdlg.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:3704
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "F:\LDPlayer\LDPlayer9\vms" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:1720
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "F:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4900
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "F:\LDPlayer\LDPlayer9\\system.vmdk"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Enumerates connected drives
        
        PID:4560
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "F:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5856
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\Users\Admin\.Ld9VirtualBox" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5212
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\Users\Admin\.Ld9VirtualBox" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5720
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5736
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
        5⤵
        Loads dropped DLL
        
        PID:5832
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5828
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5804
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
        5⤵
        Launches sc.exe
        
        PID:5128
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" start Ld9BoxSup
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4436
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5964
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5996
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c systeminfo
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:1156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4852
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'F:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
  - - F:\LDPlayer\LDPlayer9\driverconfig.exe
      "F:\LDPlayer\LDPlayer9\driverconfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4900
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f F:\LDPlayer\ldmutiplayer\ /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Enumerates connected drives
      PID:2128
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" F:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdf8553cb8,0x7ffdf8553cc8,0x7ffdf8553cd8
      4⤵
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
      4⤵
      PID:5452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1956 /prefetch:8
      4⤵
      PID:4436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:5660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:1100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
      4⤵
      PID:5696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4024 /prefetch:8
      4⤵
      PID:3404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3968 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
      4⤵
      PID:6648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2716 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:1
      4⤵
      PID:6964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:6972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
      4⤵
      PID:7120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8674643494413685641,131054493545504687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
      4⤵
      PID:7140
- - F:\LDPlayer\LDPlayer9\dnplayer.exe
    "F:\LDPlayer\LDPlayer9\dnplayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5132
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5688
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:1484
    - - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        5⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:3036
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-54d7-bbbb00000000
      4⤵
      Executes dropped EXE
      PID:5564
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-54d7-000000000000
      4⤵
      Executes dropped EXE
      PID:5660
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-54d7-000000000000
      4⤵
      Executes dropped EXE
      PID:5456
  - - F:\LDPlayer\LDPlayer9\dnrepairer.exe
      "F:\LDPlayer\LDPlayer9\dnrepairer.exe" cmd=fixError|playerid=0|errorcode=13|subcode=-2147467259|reportid={285F1E6F-AE38-47ea-A771-2CDC354DE4AB}|vtstate=1
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6220
    - - C:\Windows\SysWOW64\net.exe
        
        "net" start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6292
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6340
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Softpub.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:6360
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Wintrust.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:6376
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6388
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6404
    - - C:\Program Files\ldplayer9box\regsvr32_x86.exe
        
        "C:\Program Files\ldplayer9box\regsvr32_x86.exe" Initpki.dll /s
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6420
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" dssenh.dll /s
        5⤵
        
        PID:6440
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" rsaenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6456
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" cryptdlg.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:6468
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "F:\LDPlayer\LDPlayer9\vms" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6484
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "F:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6536
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "F:\LDPlayer\LDPlayer9\\system.vmdk"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6588
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "F:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3548
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /UnregServer
        5⤵
        Executes dropped EXE
        
        PID:3612
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s /u
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6652
    - - C:\Windows\system32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s /u
        5⤵
        
        PID:6748
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" query Ld9BoxNetLwf
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6768
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" stop Ld9BoxSup
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1624
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" delete Ld9BoxSup
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:864
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" stop Ld9BoxNetLwf
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2556
    - - C:\Program Files\ldplayer9box\NetLwfUninstall.exe
        
        "C:\Program Files\ldplayer9box\NetLwfUninstall.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6860
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\Users\Admin\.Ld9VirtualBox" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5512
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\Users\Admin\.Ld9VirtualBox" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5676
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        
        PID:6796
    - - C:\Windows\system32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
        5⤵
        
        PID:5408
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
    - - C:\Windows\system32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
        5⤵
        Modifies registry class
        
        PID:912
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5200
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" start Ld9BoxSup
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6844
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6892
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c systeminfo
        5⤵
        
        PID:6032
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:7132
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:7060
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1072
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'F:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2604

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3384

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004EC
1⤵
PID:5728

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2180
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:6004
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5664
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5632
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39be855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\772D055D5E4421B179898A4E6FBD9ACC

Filesize
471B

MD5
e87ce7eecc5a24a75011ae4079f3f45c

SHA1
b79f4a8b3a48476fd0622c7e36c0359d72bb99c8

SHA256
09bc3145e97e3a94388a13830451aee755ccab282afccfab60bd27f16d69ef3c

SHA512
ba68c4e5b4d364ff328d8ff9e5d0e36b8c5d4ac8c08608a2fa4eb834dcec3d81e4ed54b5c7c4fb41d90429fbfce11b93e73a231fca922a572534eae6010e6e00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
2ca1382dc7d1e57905776534a3ebe7fd

SHA1
e581cb1a2f96d358d3e210174e3c4b6affb255c2

SHA256
6d8510d4f4e986d1e4d71d501ccde09cc043d0c624986edca61317b6de59039c

SHA512
c39cefa9a7992de61787ccbc78e411faaa42a64786ad7def53362143347d00e62db5ee66c91d25d5d34a71a205058aa33b983f15ed9d545cf5d4e75908b4777f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\772D055D5E4421B179898A4E6FBD9ACC

Filesize
400B

MD5
bfb32e082348bdb36447db618680e850

SHA1
760582c951022a5d284d177d71b49c183a0b73bc

SHA256
2b80b61f0563020abb1ef9acecfece1f39e55222589315d35c38e5bb0d0f7882

SHA512
17c0c8185c3041546aa8f657f79120b1566700e0b460d65532d9e6272210b793809a8bc26f24ae88b736001cb9fcba0d2e458bdc10c0afcefa18e39c489a3114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
404B

MD5
dfb993f2e3106504353a25225e7b8d59

SHA1
b263bd8f9be11d1c09b8cf78c2e039ffbb2670d2

SHA256
b41627110a63b06b772b1fd39484c3f200b6208e67250f8372369ce9161e6909

SHA512
459e756df9d3e0dc82dc359221ed8b54c876c489c2554335f5f942483d3435bc81c1f634aa68aa2677c0af299ee31d0b774b09b8372f8dfe02fde2522b089ed0

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
26dc00f271bd0da35e7baec8d541df2e

SHA1
d294809ec788d1654ee5b2945de7c626a8662db0

SHA256
8f4136945acd01154799dd50fc8830cc30d88bc46b0ff1c993a50ee11a961a0a

SHA512
5568345440536aafe60d5ecafdb9745ab59c87538b4c3e7d3a8bf23b1ec647f19b19d6683f9d2cb9ea1cb3a7727665080771c342334c15aa73a5888c1fff802f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
71KB

MD5
20a5a164ba2dae0410b9b313e866cd90

SHA1
f54a317d3ec70e84cff1adc5539efe4e5d73bcf6

SHA256
9af9b0e7af47ffd8ad17c4eb49c00186b3d8f17991864c9d7d96b776693d6815

SHA512
5694424746d343340350cba7789f42a4ef1d0457a7815aa78fd9f20c541123ee5b525de86390f173963d70a2269cf8efe347f9cb56a80271456288617f62af39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
413KB

MD5
5de3a6ea82161fceb4b06409e28ea634

SHA1
14fa97316c6e983944197c112480e99c8fb9bf16

SHA256
e4c827966d4eacdae755c2f8b6938c8832f384adac3e66ef80956669abc9b8a5

SHA512
b884116eaaf6f97a2c7c84b3bb5b99b2e57d8517f530b480b809f670699a04dba0fb40cabd344ab2a3c2dc1297913d79a82978e75246e5fd268578481514cd80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
228KB

MD5
0ec6f6d315798c62465677981ed66a21

SHA1
17e9628fc9d6ebdacfaeba7408e4811b825ead15

SHA256
5ff23c5ed3ce01518a1fd03f2e876fddd920a5423b643e90789978ac0daa7e75

SHA512
6678bf47c327e52ebf92bf3f4431c7a1018fccac31b68f6e5deb5c029ee6ff4be7123744b05f361151b5840f929fe7961a777d7ee459b9edb992e623fff4f4f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
197KB

MD5
5ccbbff255ee8f4bc3fbad61ed4291b4

SHA1
127f94f7c87dc5c2698fea55c17e1ef288b855f5

SHA256
63e75bc15d55ab65c5bad18b51f58a64928baddf06d5c5b43546d95d14a901b8

SHA512
2a059bd6fdd98f81cfe220d5f01b1d8d52ec1c6372890de2e23b5ae818cc2d74d7e501be0a903d916dedd08ab313b0e477a886b5ae0b1d221acda08d5298c378

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
326KB

MD5
6179a2571984fdcfb27c3212f571d945

SHA1
908bc296bc35dacab733febd493b08f572e0c406

SHA256
80851f1a7b17cc1fedc028c29ba199173a87304df9fe4d1ede567141ce95d3f1

SHA512
6b18d7cedb537e5e5506177cf541ff838766f69ccd43eb40159a2d06553a94e08adf05156f42ea3bcc797e90011efb9eb66b471668325c1b79165871b97c24b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
78KB

MD5
f206f8847f2bdc240b18bf8567c0088d

SHA1
80357748df1c0246bd96eedd5cb7699daf2d8ff4

SHA256
588c288f062d950409cbbb09755e3f840ff73f6f0c2066efe13f513503b62c98

SHA512
e6bcb18233a6d1855d164e88987b130a2ccce86d8cedde6247ca09b0eea1a3bd365a744975c6ffa0b90a200281485cbbf44df6dca485553c5a1d4e5fc276a486

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000053

Filesize
2.1MB

MD5
2b259cd02570e0d7103c70fe9a9e4d17

SHA1
035fe918c59274c1fc662e7d88d0d92d1150fa19

SHA256
500cd8d0e8d7eb3cf7da63dd93978bf36a07fdc6b5a844de30cf84ccb38eedc4

SHA512
2547a8b631ca07270668741612a8a0d3935008a98ab538f6a14fb1cf3e8d2d82ae7bbe9fe22a495b32ee16b038aaa268b2750ed42705fbf6d080249279cdcb27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00006d

Filesize
54KB

MD5
4b7ecd257f0e110a4ad582d7d38f4d23

SHA1
2a5bb98230d640c8e18608d9b03771ee9f57a9d9

SHA256
95877c4adbf174b9122e8786e74e4c80a484c4da396fd74d65f5ac8ce626c7a7

SHA512
89423a889e17981c802e58fc81f389296063e3a15983c4e165c34675729ac857a54be0dbc5c9bdf0eb917c0103f6c0502eae8363ca0e9f3ecd898f34f412550b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00006f

Filesize
28KB

MD5
d941188b9b59bef71f6e45581bf1e79a

SHA1
6e94b7ae29d6e57f671589dc705db04d54212521

SHA256
dc07053ec83b93bc1b877fea01a9117493077e7107bfde0441b53e523d34443e

SHA512
e74cfddad66b90aeaa2c0ba905ce05c30f7dc23eb18c69edc13cfe083f1d12db336acceff22715650a5959718bc723790b0dde4deda698d74850bc25c1426de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b7b993bfbab7dd4ddec53a9a8770c2ba

SHA1
5fcacf5376b8146141531c9e62ddd2d28aab20a4

SHA256
613749cd7c4e359dd0ed758809b04bfda1ec8d75f2cb54ee572c334f8030425f

SHA512
1f1d954b5ee8b41c11bb5fad65e7abcc823e3761b85eaf03b6cf4488da3ff58ec7850cd9b3420270dd6526b3d3394d94d1ab4299dce2a469e2f66e0cfc917765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
10b8b140e32a6518ef882daf7af40800

SHA1
13c119662a17d54274dd468e0548444729ea15f3

SHA256
4c5fe0837810a1d47df63591b7b5382ef2c15312a112ced23fb81d03c687b4e9

SHA512
1ae67c684a145cf3223f870917bd7f5d48fd6f3ea67fe4fd77ab37fcce9ae98ff5a44757c87736e953b6a8d4e926310bd686b425245708cd5b0b6aa4e240af35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
4fdad05bc230e09bae4262ff8999f75c

SHA1
2a4f84e92a679e21f79c4eb4c2d7b6d6ef9b05f5

SHA256
019a1edfd0293c228a14631df4dd253921cb7c13fe9fbb331df4d825f754006a

SHA512
225b8121af4450911a7fc2bad9277f00b5e3e604725c6b25816401c327190021d125f3f27b8d3a59e12b45b32b00eaacbd881cac58363bd41123f0c033b53b35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c80783d42c47a1e42cd2110a7ec1b1f0

SHA1
daaff816282edf679812feb7ed8c5ddcdb2c79ac

SHA256
636b2729a53b426f96dfced3fae2f92413908d759c1c2e6c4ce7fb4b7b0ed075

SHA512
ef4cb7174c3f3b66c7ac0cc19ee4005d1801394f45802faeaf3a559a19b2c4df7730df141e4105e92e5862aad6f4210f6e0f292666ceae766ac101f2e8a8a12d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1eade6929b003a92f21446b265b32c97

SHA1
96ad02300d2d5f0bd25a4920f09a2a21991eae70

SHA256
21ad76c0c8c89d3199d71770ed7dc4bdeb5206190b56fd1127a46aad640c61a0

SHA512
396117a0938d7d1e9e546ee0900f35a3c974a8d1fd064356cac8fd63a7ae3b10e0473be0cc8be55e4ed9c717744475003c1e893786ef5297976f3afd821d99e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
c4f870270c8b89c5ac40e4ba4f9e4815

SHA1
96a30512034d8261c9f30721829fbca2b07df551

SHA256
492a063dbba60a13dcd22056ebcce98d5687e34fed1021fec5d37db09ea63517

SHA512
7083b773afb152f28cd1a4ff6f0006be4b23cfa3f8b225e7c6e2e1253ef96b13191b9d947e2b6ab782e3560f9b200641b7a806729dfb7c7be1d38adeb07d5f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
30KB

MD5
6938d844cc07d559341f120078834e5a

SHA1
2709518cf57ae67fac27d839653eb5a204af6aa1

SHA256
8007e7c4544ae1eab61f6fad9253a46cdf53f648f67bbab41029d3115c7609e6

SHA512
fe8c78f77f35048018977961528db61e414defb215c0cffff4f637cc70996ce632d7b26846a2ac45c54abc9ef2073651cfdb5c45b990ff7ff88565c301eb9b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
97e9e88e53013353f377a23dd54938df

SHA1
208ce3c2d015988a93103eb646f828ef4c8e02a2

SHA256
d68625a4d80ee50bbb44acb3735694fcf62b12f8b2119929806e65a453cb6337

SHA512
fb287cd65a591badb2a71338e53d56ce71b5373368800dbe3ab48a060db896148a45ff20ca94b3b8797be515b81cc5c4aee99ae41bf02ffeb28ec9cd6b43b7c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
5d1ee4bde05035beaf1300b1a4a3db62

SHA1
a948dd527ff22ec12ef18551fc678190d89d1a33

SHA256
8fa8583a265a504a772c58ce4bd45c5ea0aa48a97672a0e69e0ae4ab376a1977

SHA512
32934b6dd74d65075916dbcb40a113ef9aff56ff97714b66a706b7e4433cc5a6a5ffa31158a940458cf940c04ec20501a6c327f1edfdda1559a22b312d638913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
beaad3abdbbfda612cefb3e86683804f

SHA1
cfdefbd2fe90d2b4014cac5d060368310990d8a6

SHA256
1d210af6f3b597f4f22cb75773d359725e5317532c099cbed0e65eead6d00a50

SHA512
734d1bbb1d772bba79089bd5d5c58823d5b8a966bd25ca9a47e125bb1452f0a71842ab8bacdb9653ac1960fdfa8f9b264a4f62ae38b6b0d888fe9f51cb62b789

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
20d2fdc01b6e3145e70057e996875315

SHA1
f0fdca5c9c908694bf63552ff8be69a26c40c6b4

SHA256
7ed232695c46e599f5197c65d6f451b8aad6a90ce6fb97b738704e56c3011cde

SHA512
7807bb03f1acbec7fce0214d6eaf6cfc99dde9a5b85297ab88284d4f61bd04b062f40e466b9bc9622951f57435b5aee1f4998a9068f4882316ba6013ec4a60a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
9d5c367d54d20f6f4ca40e17f631393d

SHA1
822c5ac32e228efd8f9aec34ea55ac7a4810b579

SHA256
5f5725d52399e6ee09bcee9028f7cef528a18930f4dd23a11e832f5b8502504e

SHA512
e74414275585eb40f3a0f5f780d7c5bde56baf1aa5a4e6971e71554efc89df6e88816ee0277c97a462c6fb064e2a8728b5673916d5d3cf5cfc6450360449e0d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
325ce0f2a966ac34d48cdca784e83000

SHA1
690a1c290987a33c1b913bba679e77836ab65f7d

SHA256
8332489a498abfaa7ecac018bda5fcd4e788072d4ba5e00c7b4ce2967e4c35de

SHA512
c48cf591bc9985ec1e9dbee636f9ac573877a76c813a9d69a4de3d747c02e597b059da8842f3e8d1bb67bdde1755a948d34e51c52a7021d4f2f2f949f474e2c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
01f2fb89812129872220155c117a2c6b

SHA1
35083439a6f314388a5e8f0059b52d344bb9df1d

SHA256
cb1046f148c1884353b1f3b0758b8716046d5232d55a28bcb3a3bcd08cf6e87d

SHA512
635c696b3a65766483e324b28450c64a5070eabf265ad7b3f54fda9d0746d0fd9ef7ef3e8c526a3c763e01f69ef0bf447d92df87797598930e644bc160d006e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
3e65620b90c7e4438c2597dce6f8786f

SHA1
2564f146b6b4f98018b438876f641a85b4479bd8

SHA256
89cc98f8656fc5de98365c1eda4851be99e3ba74864d3d237f948f0526abc569

SHA512
907fb46033df87af69c10b7b50846a07417796ff3bac430d911afec04893c90a6465d674414095eea0f2d81938bd42278c29d29cd9988f46b7eb570c8084c3c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d5f3cee431d2677ee5f82b1ca7a2c1ca

SHA1
3dd963811de3f68c7d9eccb3f3c92092b49970ca

SHA256
6fc60771ba68e77773c226a601f8807b061bbf0c31c8473bbe734636488b80c1

SHA512
6255c9a01b7777488b5d868719f9fd8d5dedbe6d16851e1d0ae12ddc8057a87f4bf8af727c2279c521dfd55e6b7631f4e840687086fcb5c61ddcac9f634dbb7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
44a09d5e461a0a4e5ce231b1ff080816

SHA1
78ecc9ab5cf795a476659b3be14ba87f5be11d90

SHA256
adac76f3a0bef9a13328f236c92e18544661ff4fbd608fa098508d9399cf536e

SHA512
e6ef73cfb9d65775d448471ddf72e36492773fbb67f57807258ed7e5bdf4bdb8ab47536955396516f84c0a2d8237193db0db18a725a4c9c0a8b4f5860e70c8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
6af568db4f3711623c3f339571961fa0

SHA1
39943488380facd7eec8508e773953e610e46923

SHA256
b0ef4c43b89f3c7c1b4e6fdbb55f4fe1dac491dadd57d2981b7de4f8c6e708c3

SHA512
a54a78ff3365779ac8d7ed99e222a24fe4c6597d66eb0c68bbea32f13581a514fbc9adbf1bfcd014d48c0498a2888e7459e9db13c34dd33c1c6e786c51d772cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
459bb252129f0c5017dab569e7d39d06

SHA1
792d256a4f3e0d00a038a247e96c6fda9d37f812

SHA256
8132b5fe4b148fd8f48ededca7dfdfb9f8e03b6f78714dbb83f9e047fe4a5033

SHA512
1753d3560098bf7ae04a0625018d547b4510b533a28389b98dec6d89ce192a98f7610c61c6f5eafb40f379c7df80c777bddfc0dacbf5d19837a885cca3929ecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1a8d8df16870441ca145f2fa258a5406

SHA1
77ae151593493c0fa25aed5b057f53d98d60a80d

SHA256
5a47a79381b650b0b15edb44f9fc977b797bf7519cc801287a7f18a6b247b93a

SHA512
69af721b252f355950bf67a0a260641bb79bb57eca0e80cc7375d5641d35502498a1125aa901751de28d8c08b7661ea97d536a3bb6754d98edbd1726a8f0693c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bb034cd72234b1f500c082b38ca70c9

SHA1
5de8d84d7918dc9241ebc788961e4b098679a172

SHA256
a5bf4dfb6f1e2ecec76e29e0ad971e3e23ec35da6242b31ac08a8ee10998ec14

SHA512
08866f68d77db3280d5e62d7ddd98710c3291b6eda709a1fcd0eb35f13b726a653375e7f5aa43a673fb0cf920b900e88860fcea44934bad3abf392f1f81bc482

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
926b3c833840469a9573f09b1e65ef73

SHA1
61547771f233b1a867f273bad5ad46dd0920cd66

SHA256
18e65e403b31b78502a88866c76f37b1b4e5a720455bc13291017f9b65caa049

SHA512
b40fdd80c7f16d15ef1fae7c0b86308e6bf6be3887112031545a933c421c202f5b22b059d3758a63602c848c85c2f9ab629eb191bbbdc1a98e4779a0706bccc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7036e589acf0272d96b1322dc0c65158

SHA1
d945fa464de571846da8b87f3b8b600b81de40d1

SHA256
f17e7c7b394e560187c9f73d0091a88cb6c9e37b34d7e18d6b026444315480aa

SHA512
efa7b81687012343867324496e2fe65246c229625713929960fe44438e48dbf40d4a23aeaeb36affd0aa58b72895deea97d5e8dc3df1445fcd3eb6a843195866

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef49389ae73ca0192c739a913bc9fab8

SHA1
c3acf0c0d132ffdda9b60e4ee7779187f53b3b0e

SHA256
a210162f82c65369d0d1e0d23e706c4360eda945561315a5ce4ed31db014e219

SHA512
c7b91cd38b993bfe40918cddc373fa4cdc087a0d57001692b5f569f3ad365d8138134adc3e973295bcac3ee15e3260dfdac1f9a080275dc6d34e57f575604d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
79dfef2ea1694530cc386114b33ed7c9

SHA1
35d98ad59899d05fe8af19d00d35232729824207

SHA256
32515420ee1192861fb78cf4b5309fffe1a0f934f2ad3e62b17acbf149b1f98f

SHA512
89014fa1a58c9f077acdef880fbb7050e6b1097e52593800e1a834eaf4f7697dda0d4cc845b3517b30db6a7084a5d497e892f5068c1a3d09067b864d0aa7b0fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb2d9dfd1cc8cc0c0edc357c373caf6c

SHA1
d6e519289fce0b4012e997af5fa262353328095c

SHA256
432c71f1343c17967b02ae00ab8355701d06977b868a7e00db152b20607a36e1

SHA512
30f3581a39ca5d7f1575c358b5a0e351d93bdd036eff5ee58c083531f14f122b081929edf664d9e15cd9b03ec677aac11d73a3804fa440ce9cb9a2f30dabba04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bef52037cb6c5567813d773d03679226

SHA1
411eb2b39a2ce14b26bfebadf0c0ee9882d92c4d

SHA256
f4c8ad1b9291a20a05128371c6dec5131d492f84a00968c2b551be31802d1502

SHA512
680f5207fe19abe53c11b04edc061c96251db10944b32d3e4d53c24cd7d41a6e6e38a033b5c413311bbfa5524a892fb05dfb9fde7934a3e19e51354e2cbea0bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
38b22cadc80671e9330af03b9287e960

SHA1
9f33a084aaa746562a2faaf784357d5a0573b599

SHA256
6c1806a97104826e017b4c49ca009be417d67af9c9d25acf16e2437c16075a13

SHA512
a6a726fb4f6da0234358e548fac4b6a3d1790be1e3a426440e9c1f8c8a9d9f7e3a7603afde9683daaae3aa1e4c643ba61611cba87a38fb09683e4dd1a410c002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
12f0052e7aa753e56b76af7a12f2f485

SHA1
4ff2cf9e82413a55ac1ebf9a8ef5d6fa58140ef5

SHA256
57e6afd1b610aa4654a61bc28b0cf51575eb70c470b21aff66a114da6c655530

SHA512
01d06e7491056e97e8cf9f0f54e7a85bcf0fe09c81fdab2cada6719fcc451f082ca654185445796656b6da26355bcb8209afdbcc15fc0831d15d5b2464b6575a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fb469e6db1dfb0894edcbedf5c10ed05

SHA1
caa69f3b3a1945ad5880e11519ac361f1222d212

SHA256
9cd7879d6a83f3e7d401cd2846d47b51a160b3903b4cf372838060ca3ef1bce6

SHA512
a9dfc19fd44154721ea89058e2bab3ad67c1584cb06108324693572dc9127ad90653345831f998fe739f0dfe89999b58a7ba80afd1c570527eab9df62abf4383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
abb8bd970a826211062ee68805fe1421

SHA1
4c91c8ddd6e79401628c161437c00ae19378a718

SHA256
6339ba4f6f0546078622d475fa580d4b7c9bc53701f417447382fb843d1e0efe

SHA512
2d4f7c4b50427ca112e5c6ba9143d1a9e3a57f60753259accc2efaf9596af7330b19fef0e6ec279f43a1f58e0abf2fdbe967624a5e96921ab391989b315a1c47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b9eed912fb259afd998360fd8211f5a8

SHA1
e316054e084ebe3c57ce77065f20b65e17173704

SHA256
caaa74fa78ee4ad125ee10b852d12c77684dc2b3b84d2c244ce2e809302d4b7a

SHA512
dfdbfb0e4bd66051c568b2ba6da75cbc14265c111f63d823717abfa306acd450cf062ef7110f1370b300dfea93528d44699c3db0d4bf464c5a4d38f514bc1053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
440eb3a70165f6cfecbfe1332d2a5d82

SHA1
cf9cbeff6b658e55f27be62fe479981ebda10651

SHA256
53fb568e993e0030571fb6249c0e1713ec56fb8d90919f55d2e24cda25819b45

SHA512
493ef0e4ca347429d0c66ec6c91a3f1f9f91d6cf10236e6a31db34bd3a76d4e8286397f3ca5109cf9fd96c31903e5ee22a25b8583e44f787d700de5bacfabdac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b3c651d0446a08961aad45334ab79cf9

SHA1
42e7045631c36ca8875fb1f9f5e3c9b7e097696e

SHA256
faeea25f5ab23960fc9a8e33ed61b89ed99b10fcfe2a87843af94221a2ff8b3a

SHA512
907f4c62ac4f40cb1ed2a4169a16154f1caf49f2b0459552a3e86ad51c8c45409844c36056772c8e5aa26764f9e97d8154a10f552ece3e6de22a35cbb5683e40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
860dc8dbb9987138e12277a56c808ef1

SHA1
27eeab212c157909925edc09d83a30b085da376f

SHA256
7898be12f66123b2fa90c185f5c42049deb8ae90444a8ddde2789e635c7b5da3

SHA512
559df7d172cd4ca89ab75de7757e610bdd32a499798790bc773b29c3928d9beb3c11378f3003fea7854892488edcdd8cc94d75459911806a4509dac7468a4325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4947cbbbf478d4621e63047eac71c8ff

SHA1
f724a8ef4d48e926ae467dc6c1ce4ac17075ca49

SHA256
390714584963e8c78ca3a5e803f9b7f2bf260caffd1c86f73fdf508bcdae4a28

SHA512
ef6e9fcf8f8f13148ed352c00271f1d006d1b9a631c53a4c6dd3b2bc5e7304b86755e0666fd87f14b9b5c597fe2d98289ba85ce76395f8faca26f5209f90aee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f909460f07b97f19aca4cb0f3bb353e8

SHA1
d844242d95c1bea3e1f9fb0162e1c102a38ba0cd

SHA256
6a539c3a58c863760346db39eeb17f689c8edc5f1a6bc990207bac4a4c0cdb7e

SHA512
3c8526f8721dc26448ae37ff26aa53c41710710e2107fb8ea8d4748291a242cf729026940789386107e229cac2bbc6c6371c3cfac3942d5d57cb93a774f6df01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
da7b777262171392afc20713d1de9b5e

SHA1
d6cd44bb867e2a38c5e74e4ca5ff9d79fe107e3a

SHA256
1ccd2d7c7fe0489edc14da94da499a7b6dfe32a7ea43d70e3f9608b349f1c600

SHA512
716cb8876e671ea133fa3d094a39014f9979654b48fe7d4053c611de8c477093d39f1ca64418f265b75e8ef3f188e61f5dbb09d621016cd996f631d7f2a240e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
efb18d113bc57d74ae2ab866e9bd6204

SHA1
4f976077c498e6210114321b6f4637b18d7a0c8a

SHA256
a1af235b02acb422025882178d520a3de79b5a7f4acbfc04ee2495c24ee3d102

SHA512
77ff4de4ec38e2802441866d615d42639ddc68c86001c57fbcb2f5e45dab8c5e5efa27c50434695921ba0ac901bec7dac23adacd3c55885ea1fced5987579d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
19966c61eb0b821cb6e6ddc42ee22706

SHA1
18f47e7d0458375b98a9ddbaf0afcd836edcb2b1

SHA256
6553f9a15e9a06e9c375b49c28cd58d1f18fbdbd37ebfdac7171b1d5bfdf467c

SHA512
9b26a8365df52e2385e0be90632cb1f6265ae244c18ea3c6e5743b459d9dc02f89efa638c9f767ff285643c26beffb21f1691887e07d65617f2cf85563bb4d57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4d7154491e3b718b042c3420032faade

SHA1
26273067c9980031705a1712f9fc2df71a5f2ff7

SHA256
73d11b54bc00f7c3cbaaf11435dfe90ef46479476cb16bdc206d547daf6f5f7f

SHA512
800b3e04f780e06795f5b4df9106137378a8a84004754262e58db9648504f64ba71de302a147451f58f0a02e8eafb259ab42218e54b8981780adda7b6838fdde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7ad3cd58d618f45bbf358a11279195a4

SHA1
5e4a538055472b131e7ad94a0a9ca524d37f1766

SHA256
0b35f023ed08f45565b81aad057a35bc7280d61362d49653deb4669d33e16fd9

SHA512
865bfb462f2b3747a7a75b8f9ae943db250e71db77e8cb822c7842be61d902e322e85dfcf85fa5deed49b37a2c207e789f08192b2147704d4f1acd5533f4b27b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
df01c4c04b761a3278fdf2b4011ab57f

SHA1
ef0908a9d96caad584a47b3b6eb0173d3ab049dc

SHA256
817f730da3a3992db7d8e31facf3ba1c5af4a12836d955870b8d05d4ff4bb822

SHA512
915cafa6e9c341c5bd551d24496f8138436e675483b8a21dd7b653a9c05c234374597c668ea43e8d166ac4920ab58fcfaf5a1a6fe227f676cdc4d9aa09a80d5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d978dbfc9c5efb5ebf14ca374b45ba4e

SHA1
d4e847366153d7ec9c582ee028a7c65ec038d3f5

SHA256
f2867ecb909b9963d19fb002e5b3787643b04f443f290d3b6be117dd4b6fb415

SHA512
9276066bfe4116252a3e9450e38d795ea86a44b02fbf63aa6a8902012eeb45952d91f8cd793307c615e741932e5009a086d77ed6ab9e8284cb82816b9ba2a450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
66d9adb1d280e849e690d4d3055d26eb

SHA1
d941553fd3b477b9e117ed52c5493a896be08635

SHA256
774d4d55803ca615eef07b7748139d475c7482ff09c44c3c58f9834dda1741be

SHA512
1b49f75660ca17f495ae334f5bbb9ac194fcc43fffb0ffe5dd83fca00bc49d9855f48b028e5f2e34cbf2b79b2108ca5450a91f4e9d36a644de5558250713f4ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe59380e.TMP

Filesize
140B

MD5
3eb609a96d295b1d1c8c983de33ebee6

SHA1
82a34ff80fee9f481d8f02baf66e83f3526fc0e0

SHA256
f16019f9e5346d20dc621e9fbc966cb9163e54a4bcda20d668e1b54925d056ad

SHA512
b6c3c1f605961c7ab60589ef7f964eba929aafe589cda8b4fdccfe709e5d363a75dda6bf6f68520646dddde4ae2ffcc38202d4f3c5e32f44514f56e332ea4bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
ee81c2366226d59533a41476c513669e

SHA1
d7c941b6e18e49be996357f7ca24fd6fbc49a1de

SHA256
fd0f18bc547cc68e09d7432a9718566faaaae878a20141e6060e99a13bbd4eec

SHA512
56a1feb84bea9c9b636abeddf4a00816b3c1e18384b4add04bcfdeb73c0eb6f9f614b489554df8d35ed33bda27f0cd73841c8c45bbf42f50b92297a1c3d43afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
b77f8ee9f3b8305e7eb8be964471a6c5

SHA1
98974d50ae31777f9b6bd952ed67928e35141f98

SHA256
4f78d8d7f3ff7df3eb82ae5c48362c0ab15a33f467071c9aea791a12074f23f7

SHA512
cc7ea2c92e151271f64d0910b82665985f04ecc1de0fd99c9ea051b65bb52206e7ba1fb957d93510b77ac7a8cc3028a93182299722c0612fcec2ea41dd84e627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
e7f653063393fce2c80cdc5967f92a24

SHA1
6a5c993a416399847c5d5fc6a320ff44573770cd

SHA256
40129a307e940a40ee4a29ca27c6c5a0dcfd3c7b91af1d78e642a75cdf0d03c9

SHA512
32f99f02a224712e2c2cdbdca8490d26ef4f7aca14c4d5ef5df3c67b5eb73d9a3f8b459eec174a7ec9bc043d2b02760c4d4ff3e6c05d70e1cd070d548819b2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5332d65d7c50eee952b71eda55782f27

SHA1
9039a05b96d6f5fc532a4ddb304ec01aa2fe5879

SHA256
b677f0eeb2f0c049f48cc35d484ead2ba5434a74e4264e64d7f426fe45f2ff0e

SHA512
eeff99092be3b0bcf81e9ba0f2a72d592938ef90952e533f903707d1e0af2138db62a4b491476f499a0909bf52fc7aada7aa832c73aa882d40f488afe5b29b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8baaf6c583536c9e6327e9d4fddb4cc

SHA1
0c1436d1a870038a6cb0195704658ef59ef78906

SHA256
7cea1717ca57c727378be31a2046e1b4be05ceaff81e76d45b5b3fb1a0b09507

SHA512
6cdb5d74ebf3c2f398c2032e6047f32b342db6f28f997c9c3df2351e307b316a6d66127a3ba6f0b1a721e5afd50a5578ec9835ea25708fcd49850ec4ba64dd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5f1dd8b5-74f3-42ec-92ff-e4330736c6d2.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a5779a0d62554b7c41dcc07038a17797

SHA1
144015b3947399f1e2cc62f89e84a755b007b5b7

SHA256
5ab2696d80dfee52966aef520bd097d21156833d12655d0ab33322c533465174

SHA512
b7b0f55099fcfe3ae4d494bbecc3619c1fb6fee505dbcf9b14101456aa6f5d6b61b9bc2d9eab74eea3142cef7bddc21c9d4416d9896d762de0e9b6b6845b58ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6af99dd6d6be361c73c2b7691386e069

SHA1
c598420ee49a54ca17439b389fc8a29480ce7683

SHA256
d60e553966f27b4cfdf1f3c9868b02c5fbc176ecaa66a00d8bee7d544692710e

SHA512
aadb5162777e4af28c252eee8cd1af4b862378e281479901384b30587b2262222892d5b578612cf71aed66c900ed2dc10a6d2f166f86be9e2353c0a3b14bf3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aed9e889197cb11fb793f4f0b5ed49f9

SHA1
526048265cb04e36b0ab4039467589b2b93cc91d

SHA256
4761ea7eea72ea9aca2823452233331c334a6a06ddefec230112e6b763a3457d

SHA512
c858f763d10cf035c5b6a264f10ab2e2498249bb6b7b4a3c2b8c3e5eca8ce1f492089fe95b9e8bb68c28fc6c304bb6fb5a180bc598329e6c927c717e65c40872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
185d74f66bea7542489e30aa09589b9d

SHA1
9ee87ebe367d4409c6da5b95cd270f3a50138d2a

SHA256
eae58b700c8bad3f7ab16962dc15ccd1ba37b45e62fd154b9e16ff0c0862b80f

SHA512
43bf1726b02e623bfe5932f539e6e705e56697984903059338b3efa4aed05717a869f3239b690e8619d8da4da3d27ea07f547461b58358bfa7951333229cd7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ff803c9c79eb775d6a702297a8cc71cd

SHA1
676e72f286c243c0888ed198699dba13eee47aa7

SHA256
bb1fb3b3b6e0fbaf34250373613dce875aed936d45397395dca12c870bf67683

SHA512
f9b93e401df542711e419cf523a6a0f1de7e98d0ab5d2be9ac38f590a29bf81b920c6326e616b74902da10006dc66505cd2a673662e32533b6e8880944311dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
848abde2af28d7f6095cd7facbebea36

SHA1
32663b7c638f2cc6e66dc48b4c85fc3d2ce65895

SHA256
6a3f7ac0be55ae01e80efe437a8fdd602a7f50943eac90dc1a69713fb848b2b0

SHA512
5d5976e8983f9ae9230b1c3217d543e0933c0dc819988e440a2963014dbf5e0daf014b5cb98d24afd53daab31f812a403b86703095654d4bb841420ae686327c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d1857d18-cc24-4b77-a1c1-252de0bb90b8.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbkskqi5.yhy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QTBVQ.tmp\MegaHack v5.4 SETUP.tmp

Filesize
697KB

MD5
832dab307e54aa08f4b6cdd9b9720361

SHA1
ebd007fb7482040ecf34339e4bf917209c1018df

SHA256
cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3

SHA512
358d43522fd460eb1511708e4df22ea454a95e5bc3c4841931027b5fa3fb1dda05d496d8ad0a8b9279b99e6be74220fe243db8f08ef49845e9fb35c350ef4b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4604_712952242\8e4073a4-1a31-4e94-97d9-adedd9a11c6e.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4604_712952242\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
130KB

MD5
0cb589dda71f16ed3e788985705d654d

SHA1
d7544de2a75a14e2677f89142e684a90019aad77

SHA256
0edf9cc62c66f91eef4ff01848f9324999df945cc1d1d41c3fd6dfe075f6e49a

SHA512
e4f2649071432f46f3e12491c36d906cfd5aed506cf9cba3bfcb45f826d0afdd207f99901491adea6128bde223439aaee2b5e63c22ac6ed9a15eb018a9e01872

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
F:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
1ea48ba4040743ffc511b0cc923a178b

SHA1
72b76002087d62c9580ff2a1655b41095826acc4

SHA256
1e2e3ca8d4bfe01a68586e3568b8964eba8bf92a6bc19b7c245865ad9ba7280e

SHA512
20bc651739a267514cf2b7d158c2d0a56ac0251fe8c5f79eed7d88f6628d92d3bd3b697a6c958fb1f46f853c6defa204a6557996ad9d32a741e787cb8188026d

Download Submit
F:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
c4e98fdba5d3b3a95f96abf279bf240a

SHA1
c6bce2c2ae044fd4054a58f2fd9757252b4e9afe

SHA256
1f817c6cf7ba37f0d89e45640639e1b8256639045de98bfa63f17de3f4eacb16

SHA512
799cfbda36d41e2029b1d13a600807731cb230b2ceb96f2b77a260f4ea174af810ba1e64dd04d43a38f9caa6775ae0523c61f614e5b8c857433cb02ae06ef5ac

Download Submit
F:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.7MB

MD5
b668762c83ea3cb69a400824e3c56c23

SHA1
087621217249a70dfd7cbf2c46ee7a3053636d9d

SHA256
c167875d270e8a307dc7c125a118d2fce8b61425dded1bff0486115e6677afb9

SHA512
819928240e9f005cee2101f84d7c27bd1036f625d77ddd12f672b54d993fd4bdce32189f369f18ac36786b07d8d6602f281aa5888db7a86f92ee5ba2d179ec29

Download Submit
F:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
10b376bf925c50a88096b601abef4d80

SHA1
24a3d1ecb2e0087b2140c6674453fcf9d82cf150

SHA256
13a241b6d1144cbe2e11c9d46ebd26a649f574db8c4bf1a98a92fbe824038912

SHA512
fb7dc9db718dd94c7d275388aa376ca219b8c865d6a05b6392d5acc964c67980458ef2ad7746ac8589e01cb95e4830c7ca0301c15300de1c6c02d2a8bf52bde1

Download Submit
F:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
ba84bf6204db711f866adb2841d5c91c

SHA1
807a03b5ddb07b9e8e30c8261e3ba5514cc537e2

SHA256
dad6ee5a8b12b9396b56d827fe91fc8d3f9468428e32902390c0ddef596f2f26

SHA512
ad18d5a353add4e7ffc8868c9ce62ebea947531684e4a054dce116a97a8397dfce39dfc7744cf416fc1259035824645a8ae71b4eed9f8fd5d534c29995c0578a

Download Submit
F:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
F:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
F:\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
F:\LDPlayer\LDPlayer9\msvcr120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
F:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
F:\LDPlayer\LDPlayer9\system.vmdk

Filesize
234.5MB

MD5
476e36aee14595271d65fa7ff417fe9b

SHA1
80a78541214ab40ea6eb00c6c78eb655e9c79952

SHA256
cd2a6afc3f675bff28b987da28df94cdcaaa8d6efca861582db765edfd529401

SHA512
6d262f338268b93ad88e669af1fd4247604754cad004ac6eb75da76e217d7adadf7b63b261886b93c26013c7c4cc40ff525a90f7705e71e437fd31e7cbcb0d4b

Download Submit
F:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1810.3MB

MD5
e0d3d7578ef683fe4697cdf1e60ee3ab

SHA1
59056ddf309426d7046fa521b608ed03cc927ce1

SHA256
aa4e81985a479e1d20281404a064565e451b84066c65700f18ec6f0b5a562f24

SHA512
0661dca80efe9683940e010ed4f5eaa16a48754dcb9b579c39964bb23773b47d64de2565c25ebb6a4b5ebd8400663d0dd6069702e0a23f5ba557a4226f4b1b1e

Download Submit
F:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll

Filesize
18KB

MD5
cde2424d99db56dd0d1eaf34811738c1

SHA1
cc7889c43729b93a4e193b2fd6ae5f22b6ad6b8f

SHA256
4ceaf28cadfd0929b44e9c686b93432a7151504c8ffe2a6afe516f9b16538131

SHA512
d5b8ef2de3fefde29b2c9cccb330c3076ba71d6ae29e1b34617057d8a832d37eae8e2f238e2abb6eb226453c00a835c669a7c03a00cd1698d02272d8eb6998e2

Download Submit
F:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
17KB

MD5
acf4321ac8c8ff4d0442c799d621f8d9

SHA1
b12f87e6afc48697f1ce8b587715361e89b79cae

SHA256
69b84f7318798a91143e3d273ae9c0bedaabba930e3702447d493e2b8dd70725

SHA512
7878a7cd62f9d259a6bab05e13e9ac5b16437c0d8bda46e864f205465ae19531e5655d7547ae1594a53a05ddeb8b0c6058a73caeb21cd7c81fe5a424303d3bde

Download Submit
F:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll

Filesize
17KB

MD5
3c47c25b8141d20b2b4d576000000a61

SHA1
04543f9cdd847ff66389c9fd1e12b444dae6383a

SHA256
290030199e8b47d6bcf466f9fc81fee7e6aebc2c16a3f26dd77019f795658956

SHA512
c599ef06045583b28faac051909c28f5f2fa56c34d47f3bd49efc101a1cdcb571a298eb100d0b381e3ebb1ba19b2fb4dd5127f259eb8ab183753722ecbe0f10a

Download Submit
F:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
18KB

MD5
e05ce0232e64328c62c9da37698566bf

SHA1
50c25e6ecec2cd17ecf3117bb9a646ba107d2b84

SHA256
573aed3f3eb436f9b7c24d51be3be2105deb8149ebda9b964660930c957b2410

SHA512
8093bd5d1ad96d759a5d9183fca27d7cb756e0884776673f132d20119e602ea33f8121893b9b90965b0eb5710e244faf4e2ad738479998fc2c5dc37f83fe18cb

Download Submit
F:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll

Filesize
21KB

MD5
a26c7ffcf18b62904dab7786de638ea6

SHA1
b28489bc38ee2f522ee83dcf49faeb96f39a77e3

SHA256
74075b7af84378cee0d035c020b320ee52a120b21f71a4972093c9e23d534830

SHA512
768c8d7818acacf83d8bd020ab239408673f6cf9e0e8f1be1dab2dd58c5df4e45b970baf7d8d09887280be0788790eacd6126274deaca6b1c4b7bad3e335b34f

Download Submit
F:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
6a55a7e284b51b086b63cc6f2061ce8b

SHA1
46a48a1ccf5262038b71ed4be09cf625009d078d

SHA256
d9973270a952b4ce615104520051e847b26e4b1cc330a5a95ba1ae128f0dfdeb

SHA512
6a6ba643bf15581cd579e383bac351ccae714d50453cff52cac7dcf5bd472a170e7d33b0509c7bd50c5e76e8a0304fa88dcad63a9e2cd0694a5c56f4a21ae363

Download Submit
F:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
636B

MD5
371f9d7965aee9bc703c32a65f564cbe

SHA1
68d8c2fd35c498675ff4a7df73e51bd7f64e89c4

SHA256
e4ec9eb6f901caf96ff8e6779f4a0bc2248ac1bccd845176bd9bac57a951788a

SHA512
fca6cfee752aacd1461f16d609e5818c2a73d416f4066892ffee406828b3bd0b76e0cafc062ebe6b6c9ceb4320f914ab72cc51ced125dbc32bb66e1e2a400fd5

Download Submit
F:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
F:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
memory/112-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/112-9-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1072-2877-0x0000000073360000-0x00000000733AC000-memory.dmp

Filesize
304KB

Download
memory/3876-2023-0x00000000054A0000-0x00000000057F7000-memory.dmp

Filesize
3.3MB

Download
memory/3876-2032-0x000000006F690000-0x000000006F6DC000-memory.dmp

Filesize
304KB

Download
memory/3932-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3932-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3932-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/4852-2003-0x000000006F690000-0x000000006F6DC000-memory.dmp

Filesize
304KB

Download
memory/4852-2019-0x0000000007100000-0x000000000710E000-memory.dmp

Filesize
56KB

Download
memory/4852-1985-0x0000000004FB0000-0x00000000055DA000-memory.dmp

Filesize
6.2MB

Download
memory/4852-1988-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/4852-1989-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/4852-1990-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/4852-1999-0x00000000056C0000-0x0000000005A17000-memory.dmp

Filesize
3.3MB

Download
memory/4852-2000-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/4852-2001-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/4852-2002-0x0000000006130000-0x0000000006164000-memory.dmp

Filesize
208KB

Download
memory/4852-2017-0x0000000007140000-0x00000000071D6000-memory.dmp

Filesize
600KB

Download
memory/4852-2016-0x0000000006F30000-0x0000000006F3A000-memory.dmp

Filesize
40KB

Download
memory/4852-2020-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/4852-1984-0x0000000000ED0000-0x0000000000F06000-memory.dmp

Filesize
216KB

Download
memory/4852-2018-0x00000000070C0000-0x00000000070D1000-memory.dmp

Filesize
68KB

Download
memory/4852-2015-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/4852-2014-0x00000000074F0000-0x0000000007B6A000-memory.dmp

Filesize
6.5MB

Download
memory/4852-2013-0x0000000006B50000-0x0000000006BF4000-memory.dmp

Filesize
656KB

Download
memory/4852-2012-0x0000000006B20000-0x0000000006B3E000-memory.dmp

Filesize
120KB

Download
memory/4856-2047-0x0000000005860000-0x0000000005BB7000-memory.dmp

Filesize
3.3MB

Download
memory/4856-2053-0x000000006F690000-0x000000006F6DC000-memory.dmp

Filesize
304KB

Download
memory/6460-2895-0x0000000073360000-0x00000000733AC000-memory.dmp

Filesize
304KB

Download
memory/7060-2847-0x00000000073E0000-0x00000000073F1000-memory.dmp

Filesize
68KB

Download
memory/7060-2846-0x0000000007120000-0x00000000071C4000-memory.dmp

Filesize
656KB

Download
memory/7060-2837-0x0000000073360000-0x00000000733AC000-memory.dmp

Filesize
304KB

Download
memory/7060-2836-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

Filesize
304KB

Download
memory/7060-2835-0x0000000005920000-0x0000000005C77000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads