guerrilla | 500cd8d0e8d7eb3cf7da63dd93978bf36a07fdc6b5a844de30cf84ccb38eedc4

Analysis

max time kernel
1049s
max time network
1028s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
06/04/2025, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ens_1001_ld (1).exe
Size

2.1MB
MD5

2b259cd02570e0d7103c70fe9a9e4d17
SHA1

035fe918c59274c1fc662e7d88d0d92d1150fa19
SHA256

500cd8d0e8d7eb3cf7da63dd93978bf36a07fdc6b5a844de30cf84ccb38eedc4
SHA512

2547a8b631ca07270668741612a8a0d3935008a98ab538f6a14fb1cf3e8d2d82ae7bbe9fe22a495b32ee16b038aaa268b2750ed42705fbf6d080249279cdcb27
SSDEEP

24576:Ezvv2Jddh0hXxwQNBH5ffUX5zAEefc5Urz5Eo7zrrdXbETyLAyNBN/8LcpmZQ4J/:22e1iify35cdrrFJAWb/8amDe8hSSw0r

Score

10^/10

guerrilla discovery execution exploit infostealer persistence privilege_escalation rat trojan

Malware Config

Signatures

Guerrilla
Guerrilla is an Android malware used by the Lemon Group threat actor.
trojan infostealer rat guerrilla
Guerrilla family
guerrilla

Guerrilla payload 1 IoCs

resource	yara_rule
behavioral3/files/0x001c00000002b1a6-291.dat	family_guerrilla

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\FuncName = "WVTAsn1SpcPeImageDataEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\FuncName = "WVTAsn1CatNameValueEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\Dll = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
1372	icacls.exe
2172	icacls.exe
4724	takeown.exe
3024	takeown.exe
4732	icacls.exe
2284	takeown.exe
4548	icacls.exe
3832	takeown.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1372	icacls.exe
2172	icacls.exe
4724	takeown.exe
3024	takeown.exe
4732	icacls.exe
2284	takeown.exe
4548	icacls.exe
3832	takeown.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	LDPlayer.exe
File opened (read-only)	\??\F:	LDPlayer9_ens_1001_ld (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
71	discord.com
75	discord.com
70	discord.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winmgmts:{impersonationLevel=Impersonate}!\root\cimv2	LeoMoon CPU-V.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\VBoxAuth.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxProxyStub.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTIsoMaker.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVBoxDbg.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\host_manager2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxProxyStubLegacy.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libOpenglRender.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Install.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\UICommon.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuthSimple.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBugReport.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSVGA3D.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxHostChannel.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDTrace.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCpuReport.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetFltNobj.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES12Translator.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedFolders.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCAPI.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxManage.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\EGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\capi.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetDHCP.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1049802147\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1233052953\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_258888796\classification.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_527905678\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1569719399\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1993425509\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1486609571\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_599834171\nav_config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1233052953\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_397448183\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_397448183\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_945304223\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1690256036\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_258888796\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1660651621\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1233052953\smart_switch_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_713164578\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_2143658550\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1882758133\crl-set	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1882758133\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1486609571\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1690256036\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_713164578\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_713164578\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_397448183\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_397448183\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_258888796\travel-facilitated-booking-bing.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1993425509\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_258888796\automation.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_2143658550\deny_full_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_2143658550\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_945304223\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1049802147\kp_pinslist.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_527905678\arbitration_metadata.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1569719399\autofill_bypass_cache_forms.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_945304223\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1486609571\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_281142584\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_258888796\extraction.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1569719399\manifest.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_713164578\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_258888796\travel-facilitated-booking-kayak.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_945304223\safety_tips.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1660651621\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1660651621\well_known_domains.dll	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_599834171\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_397448183\keys.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_258888796\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_2143658550\deny_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_599834171\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_713164578\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_2143658550\deny_etld1_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1882758133\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_945304223\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1049802147\ct_config.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_281142584\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_527905678\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1233052953\office_endpoints_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1569719399\edge_autofill_global_block_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1569719399\regex_patterns.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1569719399\v1FieldTypes.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1993425509\manifest.fingerprint	msedge.exe

Executes dropped EXE 14 IoCs

pid	Process
4504	LDPlayer.exe
5048	dnrepairer.exe
224	Ld9BoxSVC.exe
4836	driverconfig.exe
1124	dnplayer.exe
5088	Ld9BoxSVC.exe
3572	vbox-img.exe
1216	vbox-img.exe
2056	vbox-img.exe
4760	Ld9BoxHeadless.exe
4232	Ld9BoxHeadless.exe
5116	Ld9BoxHeadless.exe
3692	Ld9BoxHeadless.exe
4720	Ld9BoxHeadless.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2332	sc.exe
2884	sc.exe
1740	sc.exe
3492	sc.exe
4920	sc.exe
1548	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
5048	dnrepairer.exe
5048	dnrepairer.exe
5048	dnrepairer.exe
224	Ld9BoxSVC.exe
224	Ld9BoxSVC.exe
224	Ld9BoxSVC.exe
224	Ld9BoxSVC.exe
224	Ld9BoxSVC.exe
224	Ld9BoxSVC.exe
224	Ld9BoxSVC.exe
224	Ld9BoxSVC.exe
2412	regsvr32.exe
2412	regsvr32.exe
2412	regsvr32.exe
2412	regsvr32.exe
2412	regsvr32.exe
2412	regsvr32.exe
2412	regsvr32.exe
2412	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
4840	regsvr32.exe
3856	regsvr32.exe
3856	regsvr32.exe
3856	regsvr32.exe
3856	regsvr32.exe
3856	regsvr32.exe
3856	regsvr32.exe
3856	regsvr32.exe
3856	regsvr32.exe
4896	regsvr32.exe
4896	regsvr32.exe
4896	regsvr32.exe
4896	regsvr32.exe
4896	regsvr32.exe
4896	regsvr32.exe
4896	regsvr32.exe
4896	regsvr32.exe
4836	driverconfig.exe
4836	driverconfig.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe
1124	dnplayer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_1001_ld (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LeoMoon CPU-V.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1424	systeminfo.exe
1512	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884038068168669"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CurVer	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1\CLSID\ = "{20191216-c9d2-4f11-a384-53f0cf917214}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}\ = "IChoiceFormValue"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\ = "IRuntimeErrorEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5FDC-4ABA-AFF5-6A39BBD7C38B}\NumMethods\ = "64"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}\ = "IGuestProcess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\ = "IToken"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ = "IBandwidthGroupChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0126-43E0-B05D-326E74ABB356}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\ = "IMediumRegisteredEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ = "IGuestProcessStateChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\ = "IMachineRegisteredEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1}\ = "IHostUSBDeviceFilter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\NumMethods\ = "82"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7997-4595-A731-3A509DB604E5}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E67-4144-BF34-41C38E8B4CC7}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\ = "IStateChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\ = "IGuestSessionEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}\ = "IStorageDeviceChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41}\ = "IRecordingSettings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}\ = "INATNetwork"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\NumMethods\ = "18"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\ = "IMachineRegisteredEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41}\NumMethods\ = "11"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-394D-44D3-9EDB-AF2C4472C40A}\ = "ICloudNetworkEnvironmentInfo"	regsvr32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\leomoon-dot-com_leomoon-cpu-v_win.zip:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2876	LDPlayer9_ens_1001_ld (1).exe
2876	LDPlayer9_ens_1001_ld (1).exe
2876	LDPlayer9_ens_1001_ld (1).exe
2876	LDPlayer9_ens_1001_ld (1).exe
4504	LDPlayer.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
5048	dnrepairer.exe
5048	dnrepairer.exe
1780	powershell.exe
1780	powershell.exe
3156	powershell.exe
3156	powershell.exe
2440	powershell.exe
2440	powershell.exe
4504	LDPlayer.exe
4504	LDPlayer.exe
2876	LDPlayer9_ens_1001_ld (1).exe
2876	LDPlayer9_ens_1001_ld (1).exe
2692	msedge.exe
2692	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1124	dnplayer.exe
3100	LeoMoon CPU-V.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe
Token: SeDebugPrivilege	4504	LDPlayer.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1124	dnplayer.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1124	dnplayer.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe
6112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4504	2876	LDPlayer9_ens_1001_ld (1).exe	83
PID 2876 wrote to memory of 4504	2876	LDPlayer9_ens_1001_ld (1).exe	83
PID 2876 wrote to memory of 4504	2876	LDPlayer9_ens_1001_ld (1).exe	83
PID 4504 wrote to memory of 5048	4504	LDPlayer.exe	84
PID 4504 wrote to memory of 5048	4504	LDPlayer.exe	84
PID 4504 wrote to memory of 5048	4504	LDPlayer.exe	84
PID 5048 wrote to memory of 2484	5048	dnrepairer.exe	85
PID 5048 wrote to memory of 2484	5048	dnrepairer.exe	85
PID 5048 wrote to memory of 2484	5048	dnrepairer.exe	85
PID 2484 wrote to memory of 4632	2484	net.exe	87
PID 2484 wrote to memory of 4632	2484	net.exe	87
PID 2484 wrote to memory of 4632	2484	net.exe	87
PID 5048 wrote to memory of 3312	5048	dnrepairer.exe	88
PID 5048 wrote to memory of 3312	5048	dnrepairer.exe	88
PID 5048 wrote to memory of 3312	5048	dnrepairer.exe	88
PID 5048 wrote to memory of 656	5048	dnrepairer.exe	89
PID 5048 wrote to memory of 656	5048	dnrepairer.exe	89
PID 5048 wrote to memory of 656	5048	dnrepairer.exe	89
PID 5048 wrote to memory of 1992	5048	dnrepairer.exe	90
PID 5048 wrote to memory of 1992	5048	dnrepairer.exe	90
PID 5048 wrote to memory of 1992	5048	dnrepairer.exe	90
PID 5048 wrote to memory of 4512	5048	dnrepairer.exe	91
PID 5048 wrote to memory of 4512	5048	dnrepairer.exe	91
PID 5048 wrote to memory of 4512	5048	dnrepairer.exe	91
PID 5048 wrote to memory of 560	5048	dnrepairer.exe	123
PID 5048 wrote to memory of 560	5048	dnrepairer.exe	123
PID 5048 wrote to memory of 560	5048	dnrepairer.exe	123
PID 5048 wrote to memory of 4156	5048	dnrepairer.exe	93
PID 5048 wrote to memory of 4156	5048	dnrepairer.exe	93
PID 5048 wrote to memory of 4156	5048	dnrepairer.exe	93
PID 5048 wrote to memory of 3268	5048	dnrepairer.exe	94
PID 5048 wrote to memory of 3268	5048	dnrepairer.exe	94
PID 5048 wrote to memory of 3268	5048	dnrepairer.exe	94
PID 5048 wrote to memory of 3024	5048	dnrepairer.exe	95
PID 5048 wrote to memory of 3024	5048	dnrepairer.exe	95
PID 5048 wrote to memory of 3024	5048	dnrepairer.exe	95
PID 5048 wrote to memory of 4732	5048	dnrepairer.exe	97
PID 5048 wrote to memory of 4732	5048	dnrepairer.exe	97
PID 5048 wrote to memory of 4732	5048	dnrepairer.exe	97
PID 5048 wrote to memory of 2284	5048	dnrepairer.exe	99
PID 5048 wrote to memory of 2284	5048	dnrepairer.exe	99
PID 5048 wrote to memory of 2284	5048	dnrepairer.exe	99
PID 5048 wrote to memory of 4548	5048	dnrepairer.exe	101
PID 5048 wrote to memory of 4548	5048	dnrepairer.exe	101
PID 5048 wrote to memory of 4548	5048	dnrepairer.exe	101
PID 5048 wrote to memory of 3832	5048	dnrepairer.exe	103
PID 5048 wrote to memory of 3832	5048	dnrepairer.exe	103
PID 5048 wrote to memory of 3832	5048	dnrepairer.exe	103
PID 5048 wrote to memory of 1372	5048	dnrepairer.exe	105
PID 5048 wrote to memory of 1372	5048	dnrepairer.exe	105
PID 5048 wrote to memory of 1372	5048	dnrepairer.exe	105
PID 5048 wrote to memory of 224	5048	dnrepairer.exe	107
PID 5048 wrote to memory of 224	5048	dnrepairer.exe	107
PID 5048 wrote to memory of 2412	5048	dnrepairer.exe	108
PID 5048 wrote to memory of 2412	5048	dnrepairer.exe	108
PID 5048 wrote to memory of 4840	5048	dnrepairer.exe	109
PID 5048 wrote to memory of 4840	5048	dnrepairer.exe	109
PID 5048 wrote to memory of 4840	5048	dnrepairer.exe	109
PID 5048 wrote to memory of 3856	5048	dnrepairer.exe	110
PID 5048 wrote to memory of 3856	5048	dnrepairer.exe	110
PID 5048 wrote to memory of 4896	5048	dnrepairer.exe	111
PID 5048 wrote to memory of 4896	5048	dnrepairer.exe	111
PID 5048 wrote to memory of 4896	5048	dnrepairer.exe	111
PID 5048 wrote to memory of 3492	5048	dnrepairer.exe	112

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld (1).exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld (1).exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=786754
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:3312
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:656
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1992
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4512
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:560
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:3268
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3024
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4732
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2284
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4548
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\Users\Admin\.Ld9VirtualBox" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3832
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\Users\Admin\.Ld9VirtualBox" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1372
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:224
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:2412
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4840
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:3856
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4896
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3492
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4920
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1548
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2484
    - - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        5⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:1424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3156
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2440
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4836
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4724
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x300,0x7ff9ca25f208,0x7ff9ca25f214,0x7ff9ca25f220
    3⤵
    PID:1032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1892,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=1908 /prefetch:2
    3⤵
    PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2212,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:11
    3⤵
    PID:4008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2608,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=1868 /prefetch:13
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3520,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4284,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:1
    3⤵
    PID:2704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4320,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=4472 /prefetch:9
    3⤵
    PID:2536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4608,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:1
    3⤵
    PID:348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4648,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:9
    3⤵
    PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5364,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=4644 /prefetch:14
    3⤵
    PID:1140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4292,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:14
    3⤵
    PID:1992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5628,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:1
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5304,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:14
    3⤵
    PID:1004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5128,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:14
    3⤵
    PID:728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3540,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:12
    3⤵
    PID:3636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5432,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=5820 /prefetch:14
    3⤵
    PID:1508
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6224,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:14
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6224,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:14
    3⤵
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6428,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:14
    3⤵
    PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
      cookie_exporter.exe --cookie-json=964
      4⤵
      PID:5816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6552,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:14
    3⤵
    PID:5380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6500,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:14
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6916,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=6912 /prefetch:14
    3⤵
    PID:5912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6528,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=6604 /prefetch:14
    3⤵
    PID:5924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7032,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7020 /prefetch:14
    3⤵
    PID:5964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7064,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7088 /prefetch:14
    3⤵
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7352,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:14
    3⤵
    PID:6112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7112,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7080 /prefetch:14
    3⤵
    PID:5492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7652,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7628 /prefetch:1
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=7332,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7572 /prefetch:1
    3⤵
    PID:5860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=7692,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7460 /prefetch:1
    3⤵
    PID:1340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=6908,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7432 /prefetch:1
    3⤵
    PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6620,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:1
    3⤵
    PID:5360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=7252,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7712 /prefetch:1
    3⤵
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=4996,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7848 /prefetch:1
    3⤵
    PID:6064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7048,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7676 /prefetch:14
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7532,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=7540 /prefetch:14
    3⤵
    PID:5468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7516,i,11428005600706474691,2060191246999060989,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:14
    3⤵
    PID:5448
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1124
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4220
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:1512
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    - Executes dropped EXE
    PID:3572
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:1216
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-update-the-graphics-driver.html
    3⤵
    PID:6052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x30c,0x7ff9ca25f208,0x7ff9ca25f214,0x7ff9ca25f220
      4⤵
      PID:240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1800,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=2120 /prefetch:11
      4⤵
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2088,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2336,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:13
      4⤵
      PID:784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
      4⤵
      PID:3860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:5768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4872,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=4788 /prefetch:1
      4⤵
      PID:5868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4760,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:1
      4⤵
      PID:5544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5308,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5336 /prefetch:1
      4⤵
      PID:3008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5464,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:1
      4⤵
      PID:2848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5204,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:1
      4⤵
      PID:280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5184,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:1
      4⤵
      PID:5252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5152,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:1
      4⤵
      PID:5964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6200,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:1
      4⤵
      PID:1752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6140,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:14
      4⤵
      PID:5308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6508,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:14
      4⤵
      PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6984,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6992 /prefetch:14
      4⤵
      PID:6076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7276,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7280 /prefetch:14
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7276,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7280 /prefetch:14
      4⤵
      PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7740,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7672 /prefetch:14
      4⤵
      PID:5404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7752,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:14
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7764,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7676 /prefetch:14
      4⤵
      PID:5032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6600,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:1
      4⤵
      PID:6128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6652,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7516 /prefetch:1
      4⤵
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=5808,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:1
      4⤵
      PID:2660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5228,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:14
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5440,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:1
      4⤵
      PID:1672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6308,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:1
      4⤵
      PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3480,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:14
      4⤵
      NTFS ADS
      PID:3500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:14
      4⤵
      PID:5388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=4852,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5992,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=3372 /prefetch:14
      4⤵
      PID:6016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7048,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7248 /prefetch:14
      4⤵
      PID:2944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5100,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:1
      4⤵
      PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5760,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7840 /prefetch:1
      4⤵
      PID:3952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=4976,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7724 /prefetch:1
      4⤵
      PID:6104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=3644,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:1
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=864,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:1
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=8140,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5752 /prefetch:1
      4⤵
      PID:2496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=5112,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:1
      4⤵
      PID:5872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=8028,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:1
      4⤵
      PID:5412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8012,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:14
      4⤵
      PID:2464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7828,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=1480 /prefetch:10
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6900,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7216 /prefetch:14
      4⤵
      PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6972,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:14
      4⤵
      PID:3968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3436,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7124 /prefetch:14
      4⤵
      PID:2112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5532,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=3424 /prefetch:14
      4⤵
      PID:1180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6432,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=7584 /prefetch:14
      4⤵
      PID:5404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:14
      4⤵
      PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3728,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:14
      4⤵
      PID:3968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3944,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6996 /prefetch:14
      4⤵
      PID:5084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6892,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:14
      4⤵
      PID:2360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2368,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6884 /prefetch:14
      4⤵
      PID:1712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1192,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:14
      4⤵
      PID:4168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7068,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:14
      4⤵
      PID:1300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5244,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:14
      4⤵
      PID:2360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6112,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=8096 /prefetch:14
      4⤵
      PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1480,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:14
      4⤵
      PID:5416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6148,i,18409602245138762000,11491858219692987257,262144 --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:14
      4⤵
      PID:4168

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004DC
1⤵
PID:1852

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5088
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:3132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\Temp1_leomoon-dot-com_leomoon-cpu-v_win.zip\LeoMoon CPU-V.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_leomoon-dot-com_leomoon-cpu-v_win.zip\LeoMoon CPU-V.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCP120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
ce2b7d0187c5d4ea09ca8886541219cd

SHA1
997cbb97b97c66fd764c3c6553bf529fcce9a861

SHA256
3d54b3b4ba19f60ee49c661c0cb557797fb4a0889407471e412b56ccafefdab0

SHA512
c8056459334f79842105aaa497ca6386ee5bbc30c7f9b6f18d34774fd0235b9cf47734d12e8b0ebe7641f17865b1b33501e18a9ce3318991f8722775d5172107

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
4310dffb1b73f0385602ac1a41d74965

SHA1
51bd46fced5a0132ae589a106346034de8a09e77

SHA256
ea410a33a9edb0878255a3fa5c7f397c870299ad35a64bd079088694639b73d9

SHA512
5c2027edf15a03c6323e3093e3e605dc2a5649af71d74111dbc7e7841a9287d8e71ff34a131745a5befe24818a20dd1a2cd08686f183c4be58060602ca022468

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.7MB

MD5
3b871802e6bb351d35e81e425aeae866

SHA1
05c3711ddae1b366aaebf37cefb43f5696bdae14

SHA256
4dcadd3f82da77b8921701ec639b42d754e9dd268d9dff8ff4dc52fb44bccd50

SHA512
3d37f8ff56c414352326a352008e911b800116d12e5461a63e33cd438c0dba5fa4b5ab188b2e12b10eaf1a44cb6ac3003b5507356c2f1683ee8ceef39c6705fe

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
ab1a32384f60d51c5f106be560d7413d

SHA1
bc227685aceb9401bc3c5e1205fd9a65a51b423b

SHA256
c1cca92ff75e933865e5f6627af98fa96eaa1fa2025f126861ec4f71e412ad73

SHA512
1076936b85de2bce71b6412ae634695c971015b50f239b566602685a9b794193636d8c2ece027ea43872883c5de5502980cb1e272d0c9a423be1b18868077f8c

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
cc3e3b0b4914433c38b97ad680a1f9b6

SHA1
aa796ed93e18d1d0fe8c95946e9cff96b8e752bd

SHA256
1980190bb0c74d89a7296f8800868a0192756d1d69fd3a2ea7bd44b69865c4cb

SHA512
8f07179d531bb0885372716cecc0c193f11ebd8c4362da1a01d32e650296bb433dc986c4ede14fb30459b6bb56bf8f476fb61af3adf1a8adebea05403a6f40a1

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\msvcr120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1773.3MB

MD5
300deae7e3c8313b08ac08258175b708

SHA1
8c9b169caf206e9e3d749c52f0202613ed63186c

SHA256
d84a8bfa75bf5e414dcf7be2eb85b18b4da5ab688f7f6aa665f7c6abd27fa57c

SHA512
751176e74fca841f73dd07f371b7ce8483eb52a8d8f65d7e2962b1909c6fffd23adba6037ce0baa642c9f6943742419cd196bc55cf13eb955e10842e9a957360

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\EGL.dll

Filesize
532KB

MD5
228340ebea30db541cfcdf11913dc2d0

SHA1
026165456b83901f147da0e22ed9e4effa41078c

SHA256
55f30f7eaf89ccdbb01190a7101ee2ff7f6318fa37760e3788711253b3a2e535

SHA512
dfa88c85a87bbbd531746e0a384c3e00ac73254ebdf61e0dc9220304dd01783aa4f9d9ad89c95c438d41051d77647424095b499ad45cf8788d8fa390bdc4b896

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES12Translator.dll

Filesize
379KB

MD5
0b8eb3897770e6a45c80d91019baa29e

SHA1
98165c47396a4d86d20b2c6fee5607eb74f05cfd

SHA256
ed40119873178a8029daf7e7bdf4e86bda04bafcf1392b5ac37163d169d74c09

SHA512
bf3fdc8bcdd71703ee1a6f869b630b2bb32fe414c03b47733f324d69c1205847899d28f830a2b9e0c3b9560875d3ffff7899e489f065375af03353d0c2b35669

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES_CM.dll

Filesize
1.0MB

MD5
793c80b0d35d6e19bd3ee2d96b2e7f4a

SHA1
0c37aa9ac1f973cfe549a3670b2dfba02dd9f096

SHA256
8631daa13d42526e2d156a08e33020e7d8ef7918ffa24933c2343c7f8e89ba07

SHA512
ed643aff46a43e7cb06ce45784752723e6096066b50179c0a6d0609a5999dc1fd001fecb4d812b71832fb95527811f5a40c3692a9b9d7907bd1c4e9b9413343b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll

Filesize
18KB

MD5
cde2424d99db56dd0d1eaf34811738c1

SHA1
cc7889c43729b93a4e193b2fd6ae5f22b6ad6b8f

SHA256
4ceaf28cadfd0929b44e9c686b93432a7151504c8ffe2a6afe516f9b16538131

SHA512
d5b8ef2de3fefde29b2c9cccb330c3076ba71d6ae29e1b34617057d8a832d37eae8e2f238e2abb6eb226453c00a835c669a7c03a00cd1698d02272d8eb6998e2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
17KB

MD5
acf4321ac8c8ff4d0442c799d621f8d9

SHA1
b12f87e6afc48697f1ce8b587715361e89b79cae

SHA256
69b84f7318798a91143e3d273ae9c0bedaabba930e3702447d493e2b8dd70725

SHA512
7878a7cd62f9d259a6bab05e13e9ac5b16437c0d8bda46e864f205465ae19531e5655d7547ae1594a53a05ddeb8b0c6058a73caeb21cd7c81fe5a424303d3bde

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll

Filesize
17KB

MD5
3c47c25b8141d20b2b4d576000000a61

SHA1
04543f9cdd847ff66389c9fd1e12b444dae6383a

SHA256
290030199e8b47d6bcf466f9fc81fee7e6aebc2c16a3f26dd77019f795658956

SHA512
c599ef06045583b28faac051909c28f5f2fa56c34d47f3bd49efc101a1cdcb571a298eb100d0b381e3ebb1ba19b2fb4dd5127f259eb8ab183753722ecbe0f10a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
18KB

MD5
e05ce0232e64328c62c9da37698566bf

SHA1
50c25e6ecec2cd17ecf3117bb9a646ba107d2b84

SHA256
573aed3f3eb436f9b7c24d51be3be2105deb8149ebda9b964660930c957b2410

SHA512
8093bd5d1ad96d759a5d9183fca27d7cb756e0884776673f132d20119e602ea33f8121893b9b90965b0eb5710e244faf4e2ad738479998fc2c5dc37f83fe18cb

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll

Filesize
21KB

MD5
a26c7ffcf18b62904dab7786de638ea6

SHA1
b28489bc38ee2f522ee83dcf49faeb96f39a77e3

SHA256
74075b7af84378cee0d035c020b320ee52a120b21f71a4972093c9e23d534830

SHA512
768c8d7818acacf83d8bd020ab239408673f6cf9e0e8f1be1dab2dd58c5df4e45b970baf7d8d09887280be0788790eacd6126274deaca6b1c4b7bad3e335b34f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
6a55a7e284b51b086b63cc6f2061ce8b

SHA1
46a48a1ccf5262038b71ed4be09cf625009d078d

SHA256
d9973270a952b4ce615104520051e847b26e4b1cc330a5a95ba1ae128f0dfdeb

SHA512
6a6ba643bf15581cd579e383bac351ccae714d50453cff52cac7dcf5bd472a170e7d33b0509c7bd50c5e76e8a0304fa88dcad63a9e2cd0694a5c56f4a21ae363

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
6e38a6bed88e1c27155e4dc428188ef0

SHA1
8b47a1960ed157f7beeb80fa4a16a723279c4efa

SHA256
144d3a28e43e47fc1cce956255cc80467d4a6fbbb8f612ec6d85f62de030a924

SHA512
3b801875bc5a483eea6d6cc43015e759ee1f66c12585f698cb92368455f25b5309617c8beae39945cadb57009a9c9a9ce21c18dec28e86097c67d8fc5f9febab

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll

Filesize
18KB

MD5
9304209688e2a18d0b26997bc78fda7a

SHA1
5d4332cf1c5123418c6419d0291486c3939e8785

SHA256
d6bc1509fd2d4ea07e661f2f59395b4d71907d16f59942443a5d460df343dbf4

SHA512
5952e192b6150055bc88e672fb0254bc962abd27afb5c30cd0f52ede98ad84eba9966d721b3b6602116ff40ad5c489a24eac35dde77397db88aa46ad2bd18960

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll

Filesize
18KB

MD5
f42a84d78a5a15ff1a4dbac591e95783

SHA1
1cd5b5e68fd729bdd340463b53728634d342b0cd

SHA256
f60267cab87dfc1accf912c212186112aba38742f621549d6bc8d67e217e7234

SHA512
89ba6571df642dbac769c72914b30f2d27107f023a9e1cbb0c6f5412b6a69d414cd99f29de07d06592c7ab9cdfc558f3b65b7050921bd442c01417bac0a850f0

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
18KB

MD5
9f286e57e5b1c1a347adf9eef059ad5d

SHA1
631aa1aa364234acc5ad20b27f926e9cb9ee4276

SHA256
f93ddef4ac14ef778790f3f00057ab6cafc0c99dff52cc24f523d63917719970

SHA512
6df20707ccda0cf9916b7c00b11a4a82b47a0f6e87c6eba0f38e440e143b4aa6e5b48f67d09a9eeef75da2aadfbb5abc7e62362f50d674bb8a532e290699a197

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
18KB

MD5
beaae8294db31afa04fa60795c6e02ae

SHA1
8a32ebd843e461864747fe0aebf4bbf83c4ec093

SHA256
f8e8d85035bcb478ce2ab47a6476a8c756a7c8fa05bad66b9a03ece6a2ced141

SHA512
dd1a75943401ae5d20c9ee023ba77000db9433a643ec2f102cd3a72faf274deb3611954557c81120d81ff447f86b7309cec1c9005ab37ed7bb48d6e6c239b135

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
2ac1289e4dbab076b332869bef26d3ce

SHA1
60570ddd06b671e26c6a814b9c08cdfa0ef38aba

SHA256
6475f20f46814d28845c2fa73e9c283a8504483fa16d911325588c778cf76c26

SHA512
e226fb4739d66e2c4624a9e01ec00dbe3b37dc96995eec35660208d76a9e6758a2a29be1b7986d14074df23ea0fc39d2ce121b7bd32c553371c1b15ff3e2ef7a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll

Filesize
18KB

MD5
a2661a468bb87ee9cc5dee968fd3805c

SHA1
9b17fbd552e34888f1453f9113ff4c42efaf6d6a

SHA256
dc41da54e717aef60228ee11d10669c31d3ddd532eee9ecad944c09b71b762dd

SHA512
b5c01cb3c991fcf8945c764b853f8a32fce324f01562107e086dd998a1b31f9285a0d645c96052b94c955f3626691c3ca2cc9e04d8594a0a7c042530549f1aa3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
18KB

MD5
acbfc011d5842ba60c372ba3d222ab70

SHA1
16b8014060a04bb03215f6ce4c118bae48653bd5

SHA256
b0ae48eb5ff51fa038e1ed23c7c48d266c20c2af3f9907ee6906bb0346df7f9e

SHA512
dce34d64e6674b67c7c6e7c34886c1ede2967e6af7cfe2addfe51fcf70780a33d7308e7ce81a80149034b8f910c045b3ea81f458d9227448fc4b339dc05a59d3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
19KB

MD5
19d14d348ac38737431a7ee2f82973e6

SHA1
11cd8f5dc5c08d133b9b006da5c84946f012cbb6

SHA256
1cd9cff9f7d24b22993a207cb81f15ce2792fa5f941e77e8280db00db6a273ae

SHA512
b3bf7426150bf3b933db4670db3b7d22530c7087efeeab0ddacfbb0bffc01aabdac68e535c7298b13a42530a1aab2340203874b5382581f59309ec9465f6a0cc

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
20KB

MD5
ea0e13feac13dc18c79eb682bef4676e

SHA1
b9db47624345c68cf07bd2677df537e0f975caf9

SHA256
2658242ccd090181ed944f682c435e5fb880f3b21d1811d43b93478901d701b0

SHA512
540b9f8b18d42e551f13de3d4a6f0f821ea23e4c85a6346b84e8b74d02cfb5413355d126913699208faefd67680c52cdf4e6ecd66fc0cb4753ee603fe9763df7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
1af2a91dc0a4e48bab0ca123073adf30

SHA1
cf6625fd31b17d46dd31b16372840c74026d0ba2

SHA256
ae574c9b8a2467c3ee0ac3e862255e93a02627bce146ad7b720b99905dc224fc

SHA512
45103c51fc655f608e687c8e9db24c956d12c63b0497ced3817aee3d9f5fadf0741064ccb49ae71fbf377228af315c961fa414221731ea4892425ed4939bbf51

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll

Filesize
17KB

MD5
9b9d1949b75df171884f6f8caba7ff59

SHA1
411adf413f53c56488d5cf68e9b4b692889f3c4b

SHA256
cffb2007c31932b092cda3a0a39f1cfcc5766b6a1c05e5eaeabc53660cbbe786

SHA512
dd2110a2406e9cf70e26076ff4bc41f5478ece318ac48e8c7d8101e14c41284ddb2ea305560e1fa27d70925525553969fdcab243b31c0fb5ac460e1f00db2b7c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
18KB

MD5
c6e268c877a9be5b43877308b1231120

SHA1
949105c826dee6a32fe1288285e3e41cb7d04821

SHA256
eae3cd8747da3b435846901a1dbe0e430666d3d8d7ba6e54307cff5d6ee0592f

SHA512
776fe5cc3e5eb7ae9c20e15c6c5bce20fb2a0e9e81d260a08dc41860b3967c7abdc3142786421f349ebe9c43a12e261a34e3e176535b8e04545395279c439331

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll

Filesize
18KB

MD5
5122b8aa14a25c8567d9d0335036446f

SHA1
81961f2c8a331136f8156930779964a71e0badc4

SHA256
7b5393e2cb79f0396d5d97510e8f0955a2586aacaf60eb8de3676006cb81dc5c

SHA512
758ff98f838f3ca03ef6a9e5a0e39732afed73f4d15dd7d7a1a842c36ad00a859541b4e977af513ddcf970ed994cc27b11654ddc0f15fffd83bdbeff43084cc9

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll

Filesize
20KB

MD5
e1b30d56617709cf7dff5f464d7566d9

SHA1
e29646b1c90550cb86ed42782c764d41f2c70651

SHA256
5d1a854a0c5121e2e8866dad26545f7f8c2d2f1b15ed7f1ed0b72654a1fc299b

SHA512
e158389a4f71eb94a2e73706f0d52db91798104d990065029a3745dbc9a0459ed9ae96c78bd005043de9057bae66f35a174537c525385abc8e91dbbf579ba511

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
e4b64b2710725ec3332021bd8044d884

SHA1
2d7f8d87d0f395296ecdf277084d23cb9e0880e8

SHA256
9566b81b1c6db1727a4bb3a7a3de12247ff5297f34548593280ec31f2b2e2c65

SHA512
ae5570a2cd245588a3f80744c7b1af99533730ebf8926f51a2cc13004a6eb5ecb501aa8c2906e5fa5ddc5a92fb796d54af43b3e3ff97ca1cc3d898462bf7e9b2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
19KB

MD5
67fd470a60fe8fb3f9fbe32fa52871d0

SHA1
09aba019a0d0dae7415b6d9a39e1dc67d93f130b

SHA256
1f98f9e044d32e61445c5fab3c80c2f37ca6bab3d5b22cd5611fb5df73db04a8

SHA512
f8c3f1e3bee196487aec704f128240acb57fb392db918a97176793b07726f017177abbb5a6c68822fc59ce06f04d489a78284a865efdc2de518f34ecfb0cc1e6

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
f53ed8a0c18157b9e37500621dfab9ee

SHA1
b8a3131150cfd46052353309843c802d9f43df03

SHA256
5909e928d791f67a13e3130033cb0e2178f5167a644c3ab5336322d38356db47

SHA512
2cc98322e67ff49aacaba0b23fb559a5c4c58182e4f3965673a766d3198a26fcd7c7c340779d9fb0fc3f2649c16427ff312d87caa1feadf23dabc6675169416a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll

Filesize
18KB

MD5
2b9f551cddd662c618432a75c546b296

SHA1
1ddd65fcc8bb401c734ebc2014d057328f771744

SHA256
070afbdbe5b3f3b76b6b7ea2dbb9f8deff81c6ec8706eef9080671543e2ae28b

SHA512
54df6e692ac630d969a697c9e6f379c4826ca71b7e8eaefdf502405b1333a6b483256aeba609a4a1c61e73f72d2958aaf3eb31538cc5e7a91101d7d09e3ed9dc

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll

Filesize
19KB

MD5
7d943f85ff8d1515a02d202ae79453d3

SHA1
94def1f7368172ac50b665e74b89e8f7aae2857b

SHA256
1d4464fe335470452e58d613028dde2f105edf969d411e90ba7ca9e343c3fc89

SHA512
e111dbef97c6c6cb3b5c2d183294620792c48a2cb16d9d91c12cede757a1c0c53d707f4294542bef47eae784893bf63fe0f0229bed4b2d0a961c8d1cc1cf43cb

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll

Filesize
22KB

MD5
278857b86f667c47cbcce94f5ec73ca8

SHA1
a0f5b7e7c67f3c6b8f285d39d08b740e49445755

SHA256
91c5966932287078d0e616d8e0369347991f39765749bbffa1ed3a9df49776d9

SHA512
ebc02d1a2e223eb0b30a8e62089735faed83add4161094493f62561a09c13a426815e7f06c20c44477691109a8c3040dc68527023bfee6d9984c42d6a05208c9

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
6493b21fefae874655c62a56a156f3eb

SHA1
c65beb46f9f03d35867ff008026d3a56fa26fb65

SHA256
8d9d3e905d072c4465e4787dd5bd843d3a5dd5ac5ad9d7f232032b25facc82ab

SHA512
93cbe187f7fa86ac58191b5384a993135e3291873a76cc2cf81dd60c68ad7591386e4eb5ab53aaac2a6f48f7f778263b7fa0a4ea0863361910a9f1efee92b64b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
20KB

MD5
ae83311041ee793253ff10736317a09e

SHA1
c62d06cb6cbd9d997c42a6ad7f13c06f38725069

SHA256
8f9361d02f68392127fe264655eac4fef4a4a1bf63571f184ce26faa98670702

SHA512
0fabcb0370330460f8f525401f339535c08d768f075816989a16eff2256584cfa8fd6832df3ce3d9c2a5364b4ef58bfff53cc486e3b48d11b654f7174aa18458

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
12311308d7d65895b3920b3dd3e54b3b

SHA1
3faa74c6913f451d9c575761630b507af0c15ee3

SHA256
76dad3e04c9ff61b40ae1c9e039837cd1c077d59b6a008643e4fbf2dbdb564dc

SHA512
67fd047e760dbdadb06cc2c34b935fdabc629fa988484a9f5120cd59d6167d943b612df65626701022b5e73c5b1177a8d813e90c5990468f51a5a11932c008ed

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
3dafcf25a2ac1becf40acbec8fc7134b

SHA1
0729fdc617403622c2edd77fdb7dd49b530e2037

SHA256
ba1458f730ff90009483c763926d1c74383480e529541c0ef5d4de44e7a4f14c

SHA512
9dbb487489c8a6af8dbd6326fe4958f489552af268f2937495ada35bb8404cfaeaf54833d8bba2966e72cd0ba3284a5fd167baf4cd6d905870f5d1ed3e5ff6c0

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-math-l1-1-0.dll

Filesize
27KB

MD5
f32bd567d35d2e85504c39dede609e72

SHA1
b7a7145956466e45bbe6f7fe41e935a152c2c325

SHA256
5f2bb085217304006c81c55214c6093ec476e554e31808026e424da82f58aa0e

SHA512
55396f3e5821d3f3eb5988bd3362a0cddf036de4afa8cc1214813834b5a152fc3df787a8347a7aff3de6bf112e1d2a354790f593854a59f1f49393ddf967d085

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
56c02fabc2c64174009c905570c3a22d

SHA1
e52154112ad127ab01937453490091def4d21ad2

SHA256
0aa2cf2cc029c95fc053374071d7873edddc410ff8858720ee5c29bfee62dddc

SHA512
9f22f70b5de4078fcbfdbb186d6cf220561200092eb7ceaaad9d44a5281f84abfb1729f4e447dab3753225d5fc6c44d94363e3729e5765dd2213213c327c4c1b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-private-l1-1-0.dll

Filesize
69KB

MD5
4b27cf5cdb20aebf113df752019ffca3

SHA1
b02c6e45f704dac118f81c324122c189e3e61e17

SHA256
c1e206aa4c8014dcfdad15c16f50fbf4e3ce8e76e9406af923131ebc001dd5ac

SHA512
cd4df2478d719e159e2252e6784d24e4260c13d8f47774ac33a8e10b1fa96d38236bf2c3ebc060a5801fc19392cbe5c636befa898721bf114956c2be6476bbd1

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-process-l1-1-0.dll

Filesize
19KB

MD5
fa677cfb18ba1370d8bb98681c48cfbd

SHA1
cbccd561bf53c59254fb04ab136996b81cc80d3a

SHA256
36589e9738a9358065d5a72f4276505d6c2f78101508bede05bdcceea46a8cd8

SHA512
9312acd4955d4950d851910198d4ee622b75e11262e409c79391078d12d2d0db320723a1552048acc0e9deb30378e3cd27d4fabcf2077d429eedfb275cdb73e3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
595a997bd415c8ae0ef1e3c3b73e6091

SHA1
10f34bc2f474a43bfaac26f66ec8081106c12253

SHA256
11aca97acda31203aeee496c9f183b49db1c54d0efa48888a15ab4ea47ee080f

SHA512
944f6bc405c69d6bf6dc97652e9f296658bd3de078dda50ac680e56818c00dfee909b100fc2fa9c6a891c55dbc66dd62ac52819950732c83198dbb8c04f3c9b8

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
24KB

MD5
415d765aa267382a79e56e428c80b1e1

SHA1
1bf13460b8aaac1538bf45186a1624825bb8c355

SHA256
cf7bbe93ae75a1c46a38204a6acef71bf2f5e3cd34501825601900e07d3d7b15

SHA512
7236ef7b2937718409ef4eeda20318b1697e7c1c868d0df263f4be8673365d48ff6ffa2317bfd1881b6cb3dd1300410ad4f715b8e01ed321c4011aac88490d21

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
5bd5a9001cb0555c5b2b14e0cbc8d922

SHA1
4562d23fba312fe95cbc777fd7c2e37ca1e76ad9

SHA256
b516d1772b75714f039440cf5d070b87a187d2f67b7f891c94cf1c60330fbfa7

SHA512
a6271f28f069a00c2912f80552bd54bf0d8461886adff626b336d25943dd0ade19eb88c718602017a1986317af3eb5f94f8896e88b9367207e8b53225322cb84

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
f719ad4c04043f55a21e73805997b287

SHA1
0e88b1271b242f7933e78edcb05131612cea061e

SHA256
a4b0f75854949980d410c5da90c36ddb94be292431c89fd3e992f9d5f8ee9983

SHA512
752b9b4385162126729c3f09b3b75d7121c8dec00cce11f7cf1ecaffed3e79addcbcfe8bdd4e20e15b8494bfe2d24c3f2d11583860b1e03be021196bc83fc3bf

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
a405399d5b958a03e6054307a631553a

SHA1
dba43f0afd8c6e1f61cf0be7503c6f70b48b8240

SHA256
d675ee0c418c4cd7ff0c19c2d945331c8e6072a51abbca548e7d9d2f1bf288dd

SHA512
33c64766053058fa9fa4fe689f1ca5a345b8b70443995d71aa65b64c7bb38d4dc3a2b37ad06a4ce5ca1c927ed9ea4377443eaaecc69b0e758ff265e755194287

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\concrt140.dll

Filesize
310KB

MD5
67a3ad0fec3eb767e423e3d7a9134343

SHA1
42949506bc8451031425840df33f3acab5637b52

SHA256
01729ff33c2e3db1033fb86e899d62026dc1c03705269bb9636227f61934d9b3

SHA512
f3b13d38f44acf37c5002f08b684cb2955b778c8a703c8fca6e07eecaac45e1bf4bb036dda055114152390322351ef936492abbf6532d1a48fcfd29304b4db1b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\crashreport.dll

Filesize
51KB

MD5
2ad7d7087c177a6c065558be694a3b09

SHA1
175ed2c695ac9798e3259eec20035667b5414158

SHA256
43261eb27d0b7a9483f4e115621399358daa2f5057f303dd1d91e955312dcebe

SHA512
1767c9251581a663912d6e0010f65fe0bf579acc453e865a29d6d584c4f8dd2cde3ef1e3dc36f0e67f9fa607e29b1666a27436c92714195a5c2af57d4437a600

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\fastpipe.dll

Filesize
67KB

MD5
94dfe2a811fd3ba04da90c139961c41c

SHA1
0df1485910a20a9336a732c4b56b75f0050ed90a

SHA256
0e9988147ceb14b2d4320f95dec965303ebc9b0c44a61b7880250645b6eda5d8

SHA512
a1190c3d6b66018a1624e4fbaf016865815cfaaec0a2cbb074746f47e43b3aab537eceb5239a1e493e898886a4e4ae260dfc0a9866c3de26481517684053362a

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
639B

MD5
8de2286845686683ce3578c231f4b40d

SHA1
2052c69ade0abe1429ad48974e231ef86eb38c05

SHA256
f5f2ba24e20d9ff4db68b34828c7df3e1cc37cfe08a951ae9beb3f6bf8c2374e

SHA512
e4f3e73a5ea574fec102dda4fb5df23020fd0a570338ea0b93fa7c22c1caf214557b544b408518c02edd2648a1369e20b79e6f4836963ce6ad83b27bb04cfd71

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\772D055D5E4421B179898A4E6FBD9ACC

Filesize
471B

MD5
cf772cbf7978768bb90651c72d5c8ae4

SHA1
5884fd7ac201d55474b966a393478e6abdab0f3e

SHA256
e3f9fd1fa1e67a315d74bf4e78fa3ed8e2fbab035b6acb103b55620c9144e4a8

SHA512
75c3798b35b2ab63cae0ac543001d24d044ff4019039bc5106e4a978aa842f6710beaac8b397b806d929acc61b1f55102efc7f2aca7d43345ffd619e5ffb4dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
c1703c99de50a935d898c972274564d6

SHA1
d7e7051f2446244d0f0d8f393cf8555d23622301

SHA256
cca08d23baa33ceb2478c99bce825b6f37edcaa7c99eae55bf9ba6fbad56658e

SHA512
f45f70c4f9d3a6309f1167d6474885efe6d9d58e774b5d6afd01a7a2da604e4c295ed6874b09edb0fe61d19c4ca24d95297197042f89d782467c9662cf2d78db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\772D055D5E4421B179898A4E6FBD9ACC

Filesize
400B

MD5
e32dd203027f51cc4a5036c1ea80e3db

SHA1
bd19dc42f8e88e17237a2b8f0d34ed7f9b6b61ea

SHA256
171a5e746d9d08638a7476b317558df0aa6431ded91582cd5f16f086cb2edb0e

SHA512
e07d9d945cc49b50073954d607ee96e8a54bf05c33eae5a65024b4b0def8fb225d96b5924ba091922cfc70864eaae263233cb2126d5b9f95838b96d83fee3dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
404B

MD5
d461d1b340496644c7467d0d5c7ae8f0

SHA1
a085dc6dfeea542281e0ba854b1daf24d9397b80

SHA256
e08e3385ece604789ba6ebf2132c6d820dbfdc3ab236eb0621971a9828c4abf5

SHA512
5083735b193987082b474a900778114cde69984c4c2358bd4727fe891d2ed6acb4fd5cd97e0691bddeafca35a7dd7cad4787c9e1af7b484a65f70d914d141d42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.15\autofill_bypass_cache_forms.json

Filesize
175B

MD5
8060c129d08468ed3f3f3d09f13540ce

SHA1
f979419a76d5abfc89007d91f35412420aeae611

SHA256
b32bfdb89e35959aaf3e61ae58d0be1da94a12b6667e281c9567295efdd92f92

SHA512
99d0d9c816a680d7c0a28845aab7e8f33084688b1f3be4845f9cca596384b7a0811b9586c86ba9152de54cafcdea5871a6febbee1d5b3df6c778cdcb66f42cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.15\edge_autofill_global_block_list.json

Filesize
4KB

MD5
afb6f8315b244d03b262d28e1c5f6fae

SHA1
a92aaff896f4c07bdea5c5d0ab6fdb035e9ec71e

SHA256
a3bcb682dd63c048cd9ca88c49100333651b4f50de43b60ec681de5f8208d742

SHA512
d80e232da16f94a93cfe95339f0db4ff4f385e0aa2ba9cbd454e43666a915f8e730b615085b45cc7c029aa45803e5aca61b86e63dac0cf5f1128beed431f9df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.15\v1FieldTypes.json

Filesize
509KB

MD5
c1a0d30e5eebef19db1b7e68fc79d2be

SHA1
de4ccb9e7ea5850363d0e7124c01da766425039c

SHA256
f3232a4e83ffc6ee2447aba5a49b8fd7ba13bcfd82fa09ae744c44996f7fcdd1

SHA512
f0eafae0260783ea3e85fe34cc0f145db7f402949a2ae809d37578e49baf767ad408bf2e79e2275d04891cd1977e8a018d6eeb5b95e839083f3722a960ccb57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2024.12.2\crl-set

Filesize
21KB

MD5
846feb52bd6829102a780ec0da74ab04

SHA1
dd98409b49f0cd1f9d0028962d7276860579fb54

SHA256
124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4

SHA512
c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
20d961171406de0ecd02f9daafd2cf7e

SHA1
d0a1ee440cb7cc6075f838c6bc49e95ef0fadad4

SHA256
d1948f3f7ba669e0a2e9c9d7df20726d48e8a1e1dfdf52e85ca974c8254f3f64

SHA512
4885a1f3b038cb3b607e49bb297841e632a653b9202827ffdbc0a5fc548b3887c0f8fb0edd0dc3a148174ff958b3e569c65da3bab09777d0cb8384e5e900aa05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
9d425dd5108a3c4e580a9926992b6b68

SHA1
9ebbf8ca98f35af0f19d9ed02daff08ef380aff4

SHA256
e5fa8243cd73e9e1edfaf394730d8eb416ff4d399a3ba175cbb0bbe1dc6226bd

SHA512
ce6b2891da30b606c9fe9d2c14a770e5274a52ed3dfaf71e77a03b33d716d6abb3b4c228a83ac3ca8bbe248d2adc65dbcc5f7703598c3936a6be89ca894b94e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4ad1837cb33e5d44bb9d9af3d319abe2

SHA1
bd11e51bd997c5ec59ca52b51460655aaf56b578

SHA256
57f85259c71a3bc68772c22b0d88acca25ba0b1814e864842326a1d0a1836d41

SHA512
139df27da3196cb9d8b9ee7febf2d0260e98a68b5a232283f6db7fff95842a22100573f178d5f112ce1393b5ef483e82b8c6459d588f0b367783a19481fb6851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\16219f0b-62a6-4a61-88ea-b7a8cf969640.tmp

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
7KB

MD5
8056e237959d1002889529127fdadb80

SHA1
1ce8c0cf3d7b04d464bc60844a7be29c98ad25b2

SHA256
e3a1479d4db2641d4f5b512c41b98a029c15360ff6348b31780e8073143a7f76

SHA512
c9f28292202a7433b52376ce29ab6fad5ec91b15f5777d733698cfe3d8a80c9ab0a455eaf8431b69308a6d39c52772f987cd762ac87932480504f97a91c0375a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
7KB

MD5
fa8010d440a9489fb456234fc4241bc2

SHA1
192f6f75fd4cc0423b8d06701377fcedac6ad171

SHA256
9cd7bf2785b46788f0f74784777f937e83f57fe333444faa98f2e9a248aaef50

SHA512
7d53748c3814bbec7ae366fa4a0f5c06e790dff2fb85a2e7cc922440b9e9d6bf023b18b0f8e09d6940eda34eb3bd6e1148926660e521187520d6be1564f3dc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000db

Filesize
99KB

MD5
f31abcc0e9fad980130606997925a24a

SHA1
6c271e7b8af7dedbe0ad347ecfcba7e6c8a76733

SHA256
fb79a8a1feb10b18a3ce3fa224a8887eee1e358203ba5d0290c489177811ff6a

SHA512
eeda7cdc8f87c6fa156b9ceb777f60d3c9759aa690eef175c74bd8da818108acf7ad41c85b34f38743a3075675e636a3d1cf61bcae1ecc69e4cbf7a212ce772b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000e5

Filesize
100KB

MD5
1d31c718905a6a92877d40eb5631d48e

SHA1
05b98cbe7804ea39ac40796e42f66b9fd43f94a3

SHA256
753b4276060ee6694a0ea0390e64e7f6378209e2980be710f733bcc5b814e8da

SHA512
f4c05bf1e44685e0340e07395fc0c3355c26bb085c7098989efda414239dc50c4f89c89caaa957a3c66f5fdb1442f4ad593fcba70e2640d9298a2e10aa8df690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ea

Filesize
67KB

MD5
60a30ef624fad5be472ee5d1acd1b2ab

SHA1
5dbb87bbc2e8a6143308e7928536ae778610794a

SHA256
d0ec8a13c2eb6a38d628cd7adaed308116164ceee003f816889b4db1735bfccf

SHA512
315e3ea4d4c6ccf6c14fc509933b01cb77c964b608cb95ce2ee8c331011adaf618e41cf4b8c499c4f6c9e137b88a34caaa7aaa44a69fdabed84df550e178d60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ec

Filesize
23KB

MD5
5f112b5e4ce7990fdd26ad846bd9cdc2

SHA1
3a5acf60decb4fb0c2c2a4abeaa225ee514dc529

SHA256
0d7a4b692dc4586a02050f6b96b7433b6bfcc380dc7e04360c849dc1f3827846

SHA512
5b3a9297466a25fafa81f016a92258e0ed167dc63db9e507382eb1629653c13b794fdb914873c76119d3a5ab850f4b8e3ddf81d68cb6b781e8ef6aa9c713c6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\34b4824d2b07e5fc_0

Filesize
10KB

MD5
7e6e3dcd650181285eda8b402803d5be

SHA1
907c41f593d47e76f5ae3ce317f5b3b71f66f480

SHA256
755a82a1be8f7603c0729f000f981c9171563c118e87e80364ddece2d097be81

SHA512
1ab1fa0bb95877ca1ebb69cf677ac15adce1e0bde1ad86cdee6370e9706931aba4c8eb06a43e4fb508e4de1c08bc5d7ca48304a66d7c9f1d932977f108fd017b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3534adc32a11d570_0

Filesize
267B

MD5
5148aa85e7bd04d9d47e6e4d3cb1791f

SHA1
ca9f13a51c5b31b81f8d5010df46e6183d70cabd

SHA256
cfc7bf7781480a9417214cc30ac49c0f47490563743839ffd363dafdf5675b58

SHA512
86a2992a4368aa52623740581568cf8f4b62ab6ac68263dae700953f1f7a59dbee2b8750a2fa43afe9bd516003a9815a19156610bb4c5180c8eba2a50f662278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\68bd450a0a81c3d3_0

Filesize
305B

MD5
cbecdbc169ebbf06067a5fbb5075cd35

SHA1
2600a9b225a0cff270b20abe3a6a027c1da946a0

SHA256
bb59fceb780523391feb6105d45d26a2cc3c20a51935308fa3b01f5bb38fd27e

SHA512
9e0ab1e5623aa660ecaa481bc4c7cf7b81dbd378854878a490d5712668eb30c699a81a5bc48b05e0e1c43c8889554415c75cacbf3359d3f793b6274a66b561a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c1f7cdcfa7e5aa90_0

Filesize
55KB

MD5
ff4dc1a3c09fb4e8797390e7a57889a6

SHA1
2fcb8908a9a9721de47208d4687444d97c65502e

SHA256
add345b38d7e48bc8ec12f42dbba8d1eede601452837c76b66eb374aad340535

SHA512
a4f3acf8f51057e50c2a67ed227999f97cc8cf65fdfcd56d8dbef14d4e283d93216b10bb78aa2e33a89c3ae721e904225f452c2fbfd50f498cfb2eb9bc2cc544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
28559a2e09d1e8ab7aae7b56208cfc67

SHA1
8331fc02d793cba4c031adb16d2b293477daa28f

SHA256
797d54b286dc8b2145e2a970cafd3bf9a54a934f5680fce53e41b4b2fd3624c2

SHA512
19ae13e67813ed85c91ffb1a8e68261d0db884311b11dc4b49e02f9ddfbca0e600dd3670801245d572aff942e90a22d4fe71596a3e48ccf85952a56d1051d5b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
790a6cd478ec4551decfa6ee9e37b94f

SHA1
9d9b48ad26510ee8b8e868e2802584fd414d95c8

SHA256
9074f776e0c50036826cda0f1ddddadbe0396ab7b5aeba88f9a3bc8486fee5c4

SHA512
3fc796bf771c4b65716ef39b3820c502b5a5336d15fa195af9bb7865dec868dc5317162dfc757aa9ca84e13b8f28b7c4db202c50af0c8062029a20d620b3979d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
bcfc3801006d358750f976a86d0da64d

SHA1
ad11a8efe6dbe6758c211327eb5211624b2a679c

SHA256
3df1dec1a9c2de20e894e8fc648de320451387549d6ffbb8e329f372a6836e3c

SHA512
7b9478b20885bb2732aee932c95c1176cb6a5afc724d386701a3ddf6c32670df8999ab073a6c5f0f552cfc0fc482d5815b84b5f1afcdab452e1f47fc2709f6c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
4901e702a17147d651acaa4ba12a4331

SHA1
bfece5ec740b16bf1ef7691ad7ef67cb6bdb9c3d

SHA256
50ccb626c56f7798607cd8c6d6614b48e916b9709b2aa18c659e39af844ad0d3

SHA512
c9bac89c35a7ec9e4ea1f5d4bc34f39cbaf2432c574c38bdb6c7c16a867cf014fe84d2208ff3884221c5e22878dedef9c19f8523c4aa8541c0fd1ce0fb54b747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5b1c00.TMP

Filesize
4KB

MD5
2e6c59720addaf80422d0532b4cc59ff

SHA1
67333553b6d2846ebcc8580717f9e71bb77dd014

SHA256
00018f64cfaaaac4faf6bcc837a1c6a383d57b80f474b4faa4921d25f4788d20

SHA512
6b723e8daf2cd294c2fafa67563b3f915f3bf1edcfc87fc00f8cfe022de613d79d3102a58672e28b1815290d628cb44d48d4298521cd0f6037df2bcfcd286592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
8dc271aaf4cb2362fe32080bfb50f68b

SHA1
2a531c254de999bd2b25e0500a5a466aecc274f7

SHA256
7b68e5edaf307c9fa82b11fd16e4efc2c48db8d342c0364a263d6b66990368ec

SHA512
9946bf31bad2e37fce4e65a7d4d6ad694296b6aa68ee5965ddda9016e505b6dc5ef2be4d999f02b2e477620fd0b72eac0d0fa54dc74a05f80eff878b618fb0a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\cc82f66a-f431-4b85-9063-1068753f286f.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
20KB

MD5
41030be0deaa1d6f480daac778d378ab

SHA1
df222523d0f917a26fafd726242854203fd6b4f1

SHA256
794839dc84e7ddf81ecde9491fc4de101d0db31cdc1fa7b62ed6d278bc538806

SHA512
b66122ec0b37ae144621f58f417d888c7ff733f8464d09f3bf21977f152acc00301a566e244ce5f65a7e7e72b7e6da34dcc443f66711183719870f9934e61198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
88f06c631946d88e0b4faa4936856310

SHA1
3a3c58feb050ce51dfc9008e0a66117d6df65590

SHA256
1d2f823dfc30e7bd22d2a0f23a3e5aa22ac80ab5491bee173cdaaf94a00fbbf8

SHA512
abe4c8c1e4c2ec22092b22492573da30b3ebb95e662906533dc5e84fdc2079f5b20c2583ddcfa3138dfe45c0690367d3b2698a6998daebe73419405741d851ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
22KB

MD5
faa58e02ec733c1740298ec4455e997b

SHA1
5868e5056e30d2812ccb05a286f1d625c17f9048

SHA256
0540c3da5b53ca52d83271cc644d28fe574de8e970b62bf4ee37a2178719c855

SHA512
cfda444b76e6414df7c27dab8a6cc257107af4a8adcc433fa490c2d2f93641a1df2e705eeee1c487b7b43e2ea18a8bdf6daeb41a84ee96f6d9ad2ace36a22e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
22KB

MD5
4ad8d7eb07c3edb16b4f596036e1bcf6

SHA1
fdf8b089d369170922df3ba4bc9566a794da250d

SHA256
c034d30bb098a979a9b2ed83b65317c80bee7ce9152167a08881e5d52f41d35c

SHA512
2efe8d72f9047bf8bda7e5bc004deea1100923abff805fa7f9a32f20c6f70310659e0b2e433227fed20ebc9f51972930aea3e1554f5040c982fee0e1cdbc2c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
22KB

MD5
bcd8f0128f5e324bd839d0f300b9a94c

SHA1
58071530c019826b976cd90d0db996f6b43ec2cc

SHA256
62bffbf2e03e4fe7e249e0cc6923ac33a174ad9ea76b16ea55529e52fa1d76d6

SHA512
44508280bb66bbfcd24f8d63032f629597d960e57d7944e0453126f873c4946b9c4a9ed6115f368bce79057ce690a72241906b84f3a64602a6501753b6294f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
07ab4a8d50bf33f2d6162ad1b78c9c22

SHA1
e0385bb61f62a0b88c5e2e8fb80a4378de55a98c

SHA256
d82cf2955aacbccec8bbd49e547d0fa149aaa6f48d5f9bbf29f703938b5d8b11

SHA512
952fdcf9639da5ecab543a1fa32f6edf96a353532221612935708ed761278ac7adc275f22e1dbb76a5072e22651457ddcb7d42869a5546e9fe7ddb30b89fea84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\a332c24e-44a9-4995-aa98-7696e6f6f74b.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
5ecbd65e4ff48bd0aded15c06c34e066

SHA1
64d8de955a6b7b4898c1ff132b03745a3db0bc39

SHA256
e2634694ab4d7c2f7394c5ef46a1ca56a20e1a0d0a1b6a8485ca694bdc404286

SHA512
d0a452e105f4ef2d1a13b7c624f34a864b4cc65352c778b0c70f23e1f2534b33571df3c97690160619bac7eff25bbe71db52448b6036ec9884603dea1916e582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
bedc6d432f00de6202e1059102f32342

SHA1
50af9784cf02d59172248790b091de6154f15888

SHA256
a59fa5f3b260e89c862411c5afca419cd38b062300aa4e4ff81638b885e791e2

SHA512
2454eec58e7a619d19b0c30bc2b7ac6309e5d8a81163424798e4fa28dceedf53b3e5494dfdde402a1e2087534f7dc1982dcc057299cd8ebfb52f73bbc6b06de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
a238cb0f033f728cc633d1bd4a9e1017

SHA1
dd484f17ffee08f8ea5601123f62eed2bbe4c672

SHA256
cf61d23542759040f01c6078a1af581533577017b33732921cf07a660c24b700

SHA512
c83f82a3d2dbf5ca80bdefdfcbcfa79e3d76ffeb0b54e8e312ca7c40148bbbbcdbb822be7b27c540ead46620abf6c315fd711f747f63c11e632bfde290e2f9e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
050fb765a939dcb51cb246649f7307a3

SHA1
0dd5397f21b0b15369a17efe93bb854959f2fa84

SHA256
6abfe788133ad7d88a700eb607fda6d8513c91e62fd2b936c6932dbe8294ff92

SHA512
2f4f931259be29e5ca54fd692ac336ad8a9b810f3032a680c0e2df10a87aede77b9084173abc01d9f3171ce0c15d86f826021e27dc7e5a3c2a9968e845b5f3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
e3cd39e26da54474a4c9249cdc2cdccd

SHA1
799ac1f3cd94dc8283655fbceb5973710f7de816

SHA256
16c14773db54900c3953e362623e0ecfa6c044550c890e311ea1e7811c990b77

SHA512
ced837e08daf8a21483b8eaed0d2c348fd4eb1e880554282b5662dea8fe61b56837d389db8963e544bd069f0f464bf2202ee08702ad51c6a05a496ca86675506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
c5b635c1d061bec9edf7e149ad92c79e

SHA1
1ccffc805fb2daa0718f5e85964430f95c50d2d9

SHA256
7ea8de54f8b8ffc72fc1f958db2b0714b30b509cc1af7c34a1d614f5994125d6

SHA512
75be0008d67b45f648faa3e8d02b4f229c3b041ec9393acce949d5aa8adb5d453516d320cf66d471e6349b9546c7465f83809cb4390ae5b1c3b7c7eb0ae3e46c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
ecd97c94452b2a6a65f322c42bf639f0

SHA1
e90bbc1b303579382246f5ddfe3cdacf936d1e90

SHA256
ca85a266ed1170ac6690e6b93bb5a702b8822a773da64f599eaa1c4f5f8d19b6

SHA512
f18b2c93393b328486ed256dfe8e233b3fc178e433ffa1df97dfb1f14dde480508213b7e6ab2c96291ad64718c76e22dc441af15c6811ed08227ccd0773ffc6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
6a3912610a751b88394d2259810e5ae3

SHA1
d43595f25c45217b7705842bb601ed3954a32a35

SHA256
40ddc395a56088a314655c365f4cb0a5233f1110319c43b0fc5490b122ed150f

SHA512
46e65c5ac2af668ca188db29f9c6cad32f88feb653df0828dba2ef70aadfce4b4eddd6da5b1234049c237f147339968d00aec8be1a918318c23e6780d0fce0be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index

Filesize
216B

MD5
259d49442f587d264d01cead6f53a0d3

SHA1
5afddfd0e02370bb9def26d28c75906e89f94ac6

SHA256
d84e083fc1415c00f632b09861e9648b6a6172e156de105d57850930adfd3d7b

SHA512
f3645060f8812aae41b86d009b7efd10c197b9d9f90ddc6ac411e1262366eeedfe19e79537da957ee2ddb6bd206c5df7e51f68ad3c5c25eea349060ff69bf0b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index~RFe5fbfde.TMP

Filesize
240B

MD5
693e5c98ce0509c030ac3b80cadae833

SHA1
2363848db7aedb9e20ecfe441a5a8d4362e2fa30

SHA256
94c73a152c983ef18afd143a5ef75c7f0a5e25904c16f06f7108b539b5f6c0af

SHA512
bc9f7fd81551283231bc4bfc17f9baf30f846ad7aab37f5ad9a7d6c60c84485b1649cd4ce43ff25dd55ef49b25d2691eed99dfb8030c6b100fc581043470f09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
0c718e2277979277c0981f4efeea0d48

SHA1
fca91cfd6c3e5136f876a2cd4108372f9484d486

SHA256
e75881677f64c88e6be364cdfc775b086b7da51238ab904c4e0aa7be17af70dd

SHA512
0027709ffe8418a7dca0f557fdf24057674ed8790b36cf74513ba6c776474b643464862427826bf48e954675adb92db4c34ee42af5b8b1dd6dafa6d44872d907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
5KB

MD5
cb7723df2197a51a4618769ac76a5c11

SHA1
e70911ae5c2cfd0b5e89e5a2ace91b739fb95ceb

SHA256
23b387a550b148ef39a0a25807c52daa4c086a6db0a7b0c6a0d4d6df3ee3d5f9

SHA512
c1c57dac446d60751738a1394e6032b475e29354bfab62d7140cbfcb87ca0cf93f30030d666d56b082abf5b1e705e5c97cd7edbe76f98f7626294da9cfb4bc10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
142B

MD5
4b7e89230b10331dcd06ca5b6cbee620

SHA1
23b9f0093730ab8a449e4167e65afa5f25074746

SHA256
887ede72b2cd00a9278160602516697c0cf6b19230a19d1d24dd55b373986b06

SHA512
0cec83f4ee40ec299f3f6258a8e16f70aab1ee81a402a0fe6faf284896974d7685b97f250ac1cb53b8fcb56dc2cbe1787656dd6ab9c4961ff699e67e73f3c1b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
78B

MD5
ec87174fe77c1f9debb936cb591533cd

SHA1
b3b7badf3c49033e12711cc5958bd6b96fe332c6

SHA256
260e765cfd03c02d44faeb08895f2c6b1c1c53b4b60d04b478f02d1f948fa695

SHA512
bb35c11d2c8d152403e7c8c07940b1dfee49b4c1694981faf13abc8649ef9a5bf77e35d4c930a9df902022097b849ef5680d1284c2e5a0046c40a3e8d250c595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
142B

MD5
e22c82179b92ccae52b9e673073dcea1

SHA1
aa56a76fe8c86cc05803949f3fd13223cb402f32

SHA256
36deb7f4969f5c09a24438ef6c8c5c4462a7874c91e39d5e1e1e064bab7fc42f

SHA512
fb2316c5bb065562dc6a0ad59fd3df7b515d0e2823328620e79a15f9e3b243d0c850b3109550c4046b98c7fc5dd3d454da071336756c2ce5783ba54a3a409fce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5b311f.TMP

Filesize
142B

MD5
bbe23fe4f9ce847c5985f60b1ec4f516

SHA1
fdd683e116ded0673a9afb2c29ae5f5543f81736

SHA256
d79f65cda3bd08576e993ae8cbbacddddc3a890ff2b0556891f1fc98f3068442

SHA512
6089e5f0eff7a34b4c62acd9300a428b7ebb9ffeb771c4fdc4da62cf5e0e41ddaff93b33eb7ff6baaceb613d8ca4c26cda4f686bbda4f1def1c9e27749a17882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
6b66c533ec8c2bcbd35b33577bbe532f

SHA1
b5e54a381ffef38ae579df95b688ef6cb81aa186

SHA256
ebd73a998c224f3c6740424ec3a0394a84d7e45a063e002545b20736b282e7fe

SHA512
4a75cb197df879744ec1b09a9135c912b9a1c145c83bd462b86b34baa7c257d593bf9c3381bb17918ec5ae8b9fee80cfdee1118b5442d1c6a6146e80a91c0cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
868B

MD5
c0dd123ea9993382bc39003053614a95

SHA1
78f876c03695932a0ef9e0ea062fd27031e5f97b

SHA256
be07f80bf5b9b1366ac826d1332bf9726685991f3fe81c5a6796265fadb01a1e

SHA512
4838af76fca5071c096f7ba64fe6cf5fc7f89ce8de3f8ae7755fe8e654b216a40d90270b7ee895cec4ab6c4f385a5b58e53b09fd3e46cb100272dfdf904b739d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5c0dd3.TMP

Filesize
463B

MD5
4f1a4b5ee951f68fd89e2cd9e05dc6b3

SHA1
c7bd4fc131811f258456aee0e7afd43dea9887c0

SHA256
6906cf95d4f9408cb3d5a581b55035caac9fbc7857c7ecc427eddfdd6e453e51

SHA512
094314da05a173c153e92f2d3a7b82c701da2e8a21b74523d75d7b088d9f100bf8d13efd09b0027b863d53b633344b7fe09b98a34269fc189518ab3c7cda3e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe5c0ead.TMP

Filesize
3KB

MD5
47430e0e9ad4838b6b88191b7966810f

SHA1
8933b4ce19e396751f93687305d3d378c48e2e0f

SHA256
98c1f419b9efe0d2a9f4350442d90916bd07593d9ecde4706030d1502cfb90d2

SHA512
e3a4e44240a11ce2173acfe66f6b52bdae8fc9c97dfdca441700ab47b5c73a46b71405da95a2cc08c34507fddf4349923c33da57da244e45b5019b9898e6b65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
9cac3c0eba539eecd532c5a1d1878fda

SHA1
18e31d363201efb8dc44609fddfc8c429f8ff7bc

SHA256
df9e0818383bcdd74dd0a3fc88e56b09ce732fc05a887a6e1d247adeb4066ce8

SHA512
55c71fa601baa0fcb50f7114306794530c222df51f51354c49dab8cda2309ebc3a303d27ff49000211d1a669dfaa87b5f1c114b5f3f3ffba49148d9a82a012dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
34KB

MD5
5a15a7fa0b87e5afcc028879b265b1a1

SHA1
66243f0a17408e6fbefcca526b549f9c18efe553

SHA256
3891f626770a6309e8a4b5f3d19a195b996c6c2e95f000e86eb747aba6dd4042

SHA512
6f08bbfc69b701635757937be2bb265f3bff48a489da2a57e6e219fc5a3ffbacac8a7275bae2f54de2e52802e624477a1b2d8cc40c14f81eb5b7af6c3744ef0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
43KB

MD5
01b37e9208c977beb73daa2d6749b601

SHA1
4ff805b12ca4515835a914bcf5bcd17cf8b12d90

SHA256
a0023c76e54a447de005d89b5f9b9e292a80531d72f8ed4bd5e24703cc32f7ca

SHA512
d3aeb617aaaf8a68762e3fd917bd6854f8fb62541b313fb0aacca8eaeee83b1bb128f43cf0d2210c9b64313dfa80b7adf7249590bcfb7782e29ae96c42906c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
34KB

MD5
0ba424a9e8b211feb04023e3ecbbd43c

SHA1
bd4fbbbfab3a4294245382a1cff43848216aa4cb

SHA256
3402d8a498224c4a37de83d774df0cc25478216cf1150d55a056aaddc8558ef6

SHA512
380a034ffbe457b1a12ad62ae043698916bb3a629382da443f547818f275ff693b8a62de40c1195a1d969c1902da8475b186621bb6ee75d98c0fe7b97edf87e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
5abdcedc6916cbe8df2f662e991de82a

SHA1
18cb73c2bb7eb21ddc4c6b767b3348db768f69c4

SHA256
631f8e31db2cc950f7162695e97d7c271ae12b058247d11c462ec518df53f583

SHA512
02aa20880eb4a137c72baaab5ea633c86f9194d9f222c1a05cee32ac867925bbf3b34eb66de5e4e46c47527cbe5696a195a5b64d4ebb8008ac6a59d07bdad901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
43KB

MD5
fd07155e2eb336b80f6585953acd4894

SHA1
b82a84b323ed832d74a5da1ae1ffaf0bcb9682f8

SHA256
1c87a3840b4f7d96346bd224c76fa3afd56cc3930bdd7e7b07696fc2416ec1f0

SHA512
70765e126272c56bd15784cfff575f21b5b44a78df54c7675a3729ff6620906818ea70b7549583457d36fded17c3a8094d76111d66622b615aaf9baa1a186eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
23ee484637c39bda000c7a8f2e3c4bc0

SHA1
1dc425c49d9f102a5148cb1067de3271dc174814

SHA256
8599b85a5ec78684821eb389d47565fca70e93703d67fbe8fb69635cf633b879

SHA512
be836e640e330a21e2ebbdf817b0d88bbbb8bee8c40e1de2e8b9bbf9baad79c2069c07ff7389eea081c278295a34d2ce17fdc45122643e3d7fc04329f58b3f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
37KB

MD5
5906c3cf7f85be32be2c071f2632b5b9

SHA1
16f3a9e42cdff76819061adc6616646152f31a9a

SHA256
045612e21c8075692ccda144c2006c31da81d15765ade6a44875505a3501e696

SHA512
267172a796827c2a7eb47b84b0aee346c5a639612c94031bf54e3a16e6711c767a5b7c141d8961e06209a9ac96b3cd0fb2de7219263135136a46ccfc3646b090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
34KB

MD5
e6ffe7bfcec984379bbd114842d3b3ba

SHA1
59a6e72a3e0e7d39ec458e0842daa9830a074949

SHA256
202b920df881f256d4bad94ce574b4186ff384498ec4902f497798886d01cc11

SHA512
21487427b58636c94b941862ba1821c4c947c53277dd7d72a57e536f96653f56a1066c93579225b57882e4a03e047a01cd1fdd723285744fee9b90175407d2cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
2d22135e9ef0640e815df75dbae9e00e

SHA1
0cda9b32c5ec55e71b7e5005bcde60ca6c6bf404

SHA256
6be41911bcc07939a9e33ca2cc536796f729a30435ab65253b6ca37eabfeddce

SHA512
e1f6082bbf2b1dd9fbb972e8481bf01b1cd6acac168cf5f61870019d9f63b7889fc262a605ab5894997f3707f69d9174daa32135ad91de673df243dc1033d658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
662c9d659e0f2238dea568a2e6d7af66

SHA1
821ea3e3c6f7aa56ebc39b4f2365f1086ee858ae

SHA256
7f97ef4723d059faac13800a88022c17758723d91e1a95e7510dd7a09d48ede7

SHA512
02beab0316c0f09d235fca7eb82f010a2a10a1ddb872cb3b6bb5d020a952cb2da7882f272f741e9d6d82f661824bb5bf24078c5448860d0c900950686da44142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\safety_tips.pb

Filesize
163KB

MD5
bd6846ffa7f4cf897b5323e4a5dcd551

SHA1
a6596cdc8de199492791faa39ce6096cf39295cd

SHA256
854b7eb22303ec3c920966732bc29f58140a82e1101dffe2702252af0f185666

SHA512
aa19b278f7211ffaf16b14b59d509ce6b80708e2bb5af87d98848747de4cba13b6626135dd3ec7aabd51b4c2cfb46ed96800a520d2dae8af8105054b6cd40e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\typosquatting_list.pb

Filesize
3KB

MD5
17c10dbe88d84b9309e6d151923ce116

SHA1
9ad2553c061ddcc07e6f66ce4f9e30290c056bdf

SHA256
3ad368c74c9bb5da4d4750866f16d361b0675a6b6dc4e06e2edd72488663450e

SHA512
ad8ed3797941c9cad21ae2af03b77ce06a23931d9c059fe880935e2b07c08f85fc628e39873fb352c07714b4e44328799b264f4adb3513975add4e6b67e4a63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.4.5.1\typosquatting_list.pb

Filesize
631KB

MD5
437dc8e7b452913c0a4a8eee81dbf18d

SHA1
217d22f633ecab1eb7ea8cc4d44fbb3a150c3231

SHA256
9a4f0d5170601117807ccae780b91c424d24dd0a65d38607cb35054a8d1170ff

SHA512
1cbdd93c4b24bbbcf1ec332983bafbf5e2e34606d65a96e711c63b6308b4276255dde16dc8866d48e9261196d4d39fc9e519edd3e2e012331ace686055982227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\436aee4a-5a50-46dd-8d3b-5009ad750c71.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f963430-458d-423a-9209-da630d8b9a4d.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPU-V.dll

Filesize
84KB

MD5
c324caacf1859269a6d0e7465644891d

SHA1
3b962eeebdcad3f99d1d74d417186b9e24417d84

SHA256
62cce2c15b1b06e3f7cc89c6707b437b010163d93ece7d40c349103d097987fb

SHA512
51a631092201de03e144e9a7112ae0af095379c9139fc309a043f8b71e593453230ba75d2089be82c59e5a62d353b0dc2294d850d42645d398e9e6ac08c238d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPU-V.ini

Filesize
11KB

MD5
71aeb97dda8b98fb3dd0eccde3610b73

SHA1
48dbad3303ffc7814a8e1c5962f3058f0b298257

SHA256
ba2267e8aa29108d63fd826e1fd3481bf905b4f1ec6f5de87ecce49378f8dc5b

SHA512
317ff8c725a72ed8d9f065b8e78c62193bae3a66d4ac8f7e163f04fb5b26ce98b6343639dd5d91481a9f44fdc49ea350baf7947858425b250c18a4d00c59b3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdzxjkvh.2jq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3128_2118374125\8be12c13-2b30-4604-a24e-60b043dda382.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
130KB

MD5
5f7240dc6f73803225ab6ac157c5648d

SHA1
f0774a5d3928218d496fb5f6942123e0c934d56b

SHA256
3b618254bb0a698679b4c6e0308c013bbbf003a89d6a6a305055e171cb4e61bb

SHA512
11678b70895d92210794ec9f9c5434443d089d4e218bffa0a9701d959162c3896642f5787a079ec4fd69de2dc0726479c160ea2c807b45da2e7e3e8e780ec04b

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1049802147\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1233052953\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1486609571\manifest.json

Filesize
117B

MD5
ca12521dc61a4c0672da310066bcdea1

SHA1
03ea7d03664923ea4b6e3fe866a325468e77d9a8

SHA256
f7c14141485441eba361c039386b6f8f35c4a782e36dfaff40af30863927fc21

SHA512
3464c286d5d26db0c5e40281957ff8550015030a208f4f1dc9a61cb3b2ba4ace0d25e7920768c4215798c9b246c4ba0866ca81abb6042d2671453f51f6d9f66b

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1569719399\manifest.json

Filesize
119B

MD5
cb10c4ca2266e0cce5fefdcb2f0c1998

SHA1
8f5528079c05f4173978db7b596cc16f6b7592af

SHA256
82dff3cc4e595de91dc73802ac803c5d5e7ab33024bdc118f00a4431dd529713

SHA512
7c690c8d36227bb27183bacaf80a161b4084e5ad61759b559b19c2cdfb9c0814ad0030d42736285ee8e6132164d69f5becdcf83ac142a42879aa54a60c6d201b

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1660651621\manifest.json

Filesize
141B

MD5
811f0436837c701dc1cea3d6292b3922

SHA1
4e51a3e9f5cbf8c9c96985dabe8ffc2de28dae87

SHA256
dbfb38a16e33a39c35ac50bd81782e4608be14954f1df69ac8272c0b9ce87a5d

SHA512
21e7bf2f8333b2900bcbcb871ede14684073249597d105095dc7d3f101e7ccc326068732f11d4a167365f245a3f2205793f520c7666d7f948e70919b40b43d35

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1690256036\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1882758133\manifest.json

Filesize
114B

MD5
e6cd92ad3b3ab9cb3d325f3c4b7559aa

SHA1
0704d57b52cf55674524a5278ed4f7ba1e19ca0c

SHA256
63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d

SHA512
172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_1993425509\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_2143658550\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_258888796\manifest.json

Filesize
135B

MD5
4055ba4ebd5546fb6306d6a3151a236a

SHA1
609a989f14f8ee9ed9bffbd6ddba3214fd0d0109

SHA256
cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5

SHA512
58d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_281142584\manifest.fingerprint

Filesize
66B

MD5
3fb5233616491df0ec229ba9f42efdb8

SHA1
18a8116e2df9805accd7901d2321c3fa92da1af4

SHA256
946f3a9e019b0d80f5671de782f295132341f663f74aebad7628f22e528d6d52

SHA512
e9b17ac626bf6508db9a686825411e90d316a0f1dacbf63dbec5baaaf6b96af4dbc9a7332975b6d5c16c43757d79fddca6b888ea97bc07a8dffb1b3a06366b4d

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_281142584\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_397448183\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_397448183\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_527905678\manifest.json

Filesize
238B

MD5
15b69964f6f79654cbf54953aad0513f

SHA1
013fb9737790b034195cdeddaa620049484c53a7

SHA256
1bdda4a8fc3e2b965fbb52c9b23a9a34871bc345abfb332a87ea878f4472efbd

SHA512
7eeee58e06bba59b1ef874436035202416079617b7953593abf6d9af42a55088ab37f45fdee394166344f0186c0cb7092f55ed201c213737bb5d5318e9f47908

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_713164578\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6112_945304223\manifest.json

Filesize
72B

MD5
a30b19bb414d78fff00fc7855d6ed5fd

SHA1
2a6408f2829e964c578751bf29ec4f702412c11e

SHA256
9811cd3e1fbf80feb6a52ad2141fc1096165a100c2d5846dd48f9ed612c6fc9f

SHA512
66b6db60e9e6f3059d1a47db14f05d35587aa2019bc06e6cf352dfbb237d9dfe6dce7cb21c9127320a7fdca5b9d3eb21e799abe6a926ae51b5f62cf646c30490

Download Submit
memory/1124-1539-0x0000000070850000-0x00000000708CA000-memory.dmp

Filesize
488KB

Download
memory/1124-1538-0x00000000708D0000-0x000000007094E000-memory.dmp

Filesize
504KB

Download
memory/1124-756-0x0000000036520000-0x0000000036530000-memory.dmp

Filesize
64KB

Download
memory/1124-1542-0x0000000070F80000-0x000000007297B000-memory.dmp

Filesize
26.0MB

Download
memory/1124-1541-0x0000000070950000-0x0000000070EF6000-memory.dmp

Filesize
5.6MB

Download
memory/1124-1540-0x00000000707F0000-0x0000000070849000-memory.dmp

Filesize
356KB

Download
memory/1780-583-0x00000000063F0000-0x0000000006456000-memory.dmp

Filesize
408KB

Download
memory/1780-613-0x0000000007F60000-0x0000000007F7A000-memory.dmp

Filesize
104KB

Download
memory/1780-594-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/1780-611-0x0000000007E40000-0x0000000007E51000-memory.dmp

Filesize
68KB

Download
memory/1780-582-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/1780-581-0x0000000006270000-0x0000000006292000-memory.dmp

Filesize
136KB

Download
memory/1780-580-0x0000000005B80000-0x00000000061AA000-memory.dmp

Filesize
6.2MB

Download
memory/1780-609-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

Filesize
40KB

Download
memory/1780-592-0x0000000006510000-0x0000000006867000-memory.dmp

Filesize
3.3MB

Download
memory/1780-608-0x0000000007C30000-0x0000000007C4A000-memory.dmp

Filesize
104KB

Download
memory/1780-607-0x0000000008280000-0x00000000088FA000-memory.dmp

Filesize
6.5MB

Download
memory/1780-610-0x0000000007EC0000-0x0000000007F56000-memory.dmp

Filesize
600KB

Download
memory/1780-612-0x0000000007E80000-0x0000000007E8E000-memory.dmp

Filesize
56KB

Download
memory/1780-596-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/1780-595-0x00000000078A0000-0x00000000078D4000-memory.dmp

Filesize
208KB

Download
memory/1780-579-0x0000000005430000-0x0000000005466000-memory.dmp

Filesize
216KB

Download
memory/1780-605-0x0000000006EC0000-0x0000000006EDE000-memory.dmp

Filesize
120KB

Download
memory/1780-606-0x00000000078E0000-0x0000000007984000-memory.dmp

Filesize
656KB

Download
memory/1780-593-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/2440-643-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/2440-642-0x0000000005F60000-0x00000000062B7000-memory.dmp

Filesize
3.3MB

Download
memory/3156-624-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download