Analysis
-
max time kernel
204s -
max time network
204s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-06-2024 14:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.baixaki.com.br/jogos/rpg/free-fire-pc/windows
Resource
win11-20240611-en
General
-
Target
https://www.baixaki.com.br/jogos/rpg/free-fire-pc/windows
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Decode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "WVTAsn1CatNameValueDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\FuncName = "WVTAsn1SpcLinkEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode" regsvr32.exe -
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 4356 takeown.exe 3548 icacls.exe 636 takeown.exe 5004 icacls.exe 4852 takeown.exe 200 icacls.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 17 IoCs
Processes:
Baixaki_Free Fire para PC_v2.420.27.867.2.exe.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exepid process 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 900 .exe 2272 LDPlayer.exe 4864 dnrepairer.exe 1496 dismhost.exe 3948 Ld9BoxSVC.exe 4820 driverconfig.exe 3124 dnplayer.exe 1820 Ld9BoxSVC.exe 1888 vbox-img.exe 200 vbox-img.exe 2604 vbox-img.exe 2316 Ld9BoxHeadless.exe 2056 Ld9BoxHeadless.exe 3112 Ld9BoxHeadless.exe 4856 Ld9BoxHeadless.exe 1156 Ld9BoxHeadless.exe -
Loads dropped DLL 64 IoCs
Processes:
dnrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 4864 dnrepairer.exe 4864 dnrepairer.exe 4864 dnrepairer.exe 4864 dnrepairer.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 1496 dismhost.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 3948 Ld9BoxSVC.exe 1848 regsvr32.exe 1848 regsvr32.exe 1848 regsvr32.exe 1848 regsvr32.exe 1848 regsvr32.exe 1848 regsvr32.exe 1848 regsvr32.exe 1848 regsvr32.exe 4564 regsvr32.exe 4564 regsvr32.exe 4564 regsvr32.exe 4564 regsvr32.exe 4564 regsvr32.exe 4564 regsvr32.exe 4564 regsvr32.exe 4564 regsvr32.exe 1608 regsvr32.exe 1608 regsvr32.exe 1608 regsvr32.exe 1608 regsvr32.exe 1608 regsvr32.exe 1608 regsvr32.exe 1608 regsvr32.exe 1608 regsvr32.exe 2996 regsvr32.exe 2996 regsvr32.exe 2996 regsvr32.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 636 takeown.exe 5004 icacls.exe 4852 takeown.exe 200 icacls.exe 4356 takeown.exe 3548 icacls.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
Baixaki_Free Fire para PC_v2.420.27.867.2.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV Baixaki_Free Fire para PC_v2.420.27.867.2.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV Baixaki_Free Fire para PC_v2.420.27.867.2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
dnrepairer.exedescription ioc process File created C:\Program Files\ldplayer9box\NetFltInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\USBInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\concrt140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf dnrepairer.exe File created C:\Program Files\ldplayer9box\capi.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\dpinst_86.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\NetAdpInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-time-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetAdpUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-math-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\vccorlib140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\vcruntime140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\loadall.cmd dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\libssl-1_1.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSupLib.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\ossltest.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\fastpipe2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDbg.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\libeay32.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetLwfUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSDL.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat dnrepairer.exe File created C:\Program Files\ldplayer9box\libcurl.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDD.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxTestOGL.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\vbox-img.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxCAPI.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxRes.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\concrt140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxEFI32.fd dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\platforms\qminimal.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\USBTest.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES_V2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxVMM.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-process-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\host_manager.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\bldRTIsoMaker.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxEFI64.fd dnrepairer.exe File created C:\Program Files\ldplayer9box\regsvr32_x64.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\msvcp100.dll dnrepairer.exe -
Drops file in Windows directory 2 IoCs
Processes:
dism.exedismhost.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 276 sc.exe 4936 sc.exe 2112 sc.exe 968 sc.exe 4580 sc.exe 4720 sc.exe 2720 sc.exe 2112 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dnplayer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dnplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dnplayer.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1840 taskkill.exe 3140 taskkill.exe 4632 taskkill.exe 4804 taskkill.exe 3464 taskkill.exe -
Processes:
dnplayer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" dnplayer.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exeLd9BoxSVC.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0D96-40ED-AE46-A564D484325E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\ProxyStubClsid32 Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9}\ = "IDirectory" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1207-4179-94CF-CA250036308F}\ = "IGuestFileOffsetChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-394D-44D3-9EDB-AF2C4472C40A}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\NumMethods Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ = "IDHCPServer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ = "IGuestProcessStateChangedEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-dc80-5535-6fb116815604} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ = "IBandwidthGroupChangedEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\NumMethods\ = "14" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1BCF-4218-9807-04E036CC70F1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1BCF-4218-9807-04E036CC70F1}\ = "IProgressPercentageChangedEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ = "IMouse" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC}\ = "INATEngine" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FEBE-4049-B476-1292A8E45B09}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E1B7-4339-A549-F0878115596E}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\ProxyStubClsid32 Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4a06-81fc-a916-78b2da1fa0e5} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6FA-430E-6020-6A505D086387}\NumMethods\ = "34" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\NumMethods\ = "15" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ = "IVBoxSVCAvailabilityChangedEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\NumMethods\ = "13" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4453-4f3e-c9b8-5686939c80b6} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\NumMethods\ = "32" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\ = "IGuestFileReadEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4f9c-b0d5-53054496dbe0} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\ = "IConsole" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-477A-2497-6759-88B8292A5AF0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\TypeLib\Version = "1.3" Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\NumMethods\ = "15" regsvr32.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 186305.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Baixaki_Free Fire para PC_v2.420.27.867.2.exe:Zone.Identifier msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeBaixaki_Free Fire para PC_v2.420.27.867.2.exemsedge.exemsedge.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exe.exepid process 3460 msedge.exe 3460 msedge.exe 3680 msedge.exe 3680 msedge.exe 2584 identity_helper.exe 2584 identity_helper.exe 2452 msedge.exe 2452 msedge.exe 2356 msedge.exe 2356 msedge.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe 4436 msedge.exe 4436 msedge.exe 5076 msedge.exe 5076 msedge.exe 2272 LDPlayer.exe 2272 LDPlayer.exe 2272 LDPlayer.exe 2272 LDPlayer.exe 2272 LDPlayer.exe 2272 LDPlayer.exe 2272 LDPlayer.exe 2272 LDPlayer.exe 4864 dnrepairer.exe 4864 dnrepairer.exe 2500 powershell.exe 2500 powershell.exe 1128 powershell.exe 1128 powershell.exe 2804 powershell.exe 2804 powershell.exe 2272 LDPlayer.exe 2272 LDPlayer.exe 900 .exe 900 .exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid process 676 676 676 676 676 676 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exemsedge.exepid process 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Baixaki_Free Fire para PC_v2.420.27.867.2.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exedescription pid process Token: SeDebugPrivilege 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe Token: SeShutdownPrivilege 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe Token: SeCreatePagefilePrivilege 224 Baixaki_Free Fire para PC_v2.420.27.867.2.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 3140 taskkill.exe Token: SeDebugPrivilege 4632 taskkill.exe Token: SeDebugPrivilege 4804 taskkill.exe Token: SeTakeOwnershipPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe Token: SeDebugPrivilege 2272 LDPlayer.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
msedge.exemsedge.exednplayer.exepid process 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 3124 dnplayer.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
msedge.exemsedge.exednplayer.exepid process 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 3680 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 5076 msedge.exe 3124 dnplayer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3680 wrote to memory of 4920 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4920 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 4028 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 3460 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 3460 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe PID 3680 wrote to memory of 1924 3680 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.baixaki.com.br/jogos/rpg/free-fire-pc/windows1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8524a3cb8,0x7ff8524a3cc8,0x7ff8524a3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5784 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5636 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D41⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Baixaki_Free Fire para PC_v2.420.27.867.2.exe"C:\Users\Admin\Downloads\Baixaki_Free Fire para PC_v2.420.27.867.2.exe"1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.baixaki.com.br/portal/redir-partners.htm2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8524a3cb8,0x7ff8524a3cc8,0x7ff8524a3cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:13⤵
-
C:\Users\Admin\Downloads\.exe"C:\Users\Admin\Downloads\.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnplayer.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayer.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnupdate.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM bugreport.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\LDPlayer\LDPlayer9\LDPlayer.exe"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=100 -language=en -path="C:\LDPlayer\LDPlayer9\"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\LDPlayer\LDPlayer9\dnrepairer.exe"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=3282843⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\net.exe"net" start cryptsvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start cryptsvc5⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Softpub.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Wintrust.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Initpki.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" Initpki.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" dssenh.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" rsaenh.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" cryptdlg.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\dism.exeC:\Windows\system32\dism.exe /Online /English /Get-Features4⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\EB4356BB-EC21-4818-8F4E-D2A7E1A9A776\dismhost.exeC:\Users\Admin\AppData\Local\Temp\EB4356BB-EC21-4818-8F4E-D2A7E1A9A776\dismhost.exe {7649B96C-3691-4525-BB03-DCA53A5C17EB}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\sc.exesc query HvHost4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmms4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmcompute4⤵
- Launches sc.exe
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s4⤵
- Loads dropped DLL
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" start Ld9BoxSup4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\LDPlayer\LDPlayer9\driverconfig.exe"C:\LDPlayer\LDPlayer9\driverconfig.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\LDPlayer\LDPlayer9\dnplayer.exe"C:\LDPlayer\LDPlayer9\\dnplayer.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sc.exesc query HvHost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmcompute3⤵
- Launches sc.exe
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb000000003⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-0000000000003⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-0000000000003⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM ldcurl.exe /T2⤵
- Kills process with taskkill
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Subvert Trust Controls
1SIP and Trust Provider Hijacking
1File and Directory Permissions Modification
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\LDPlayer\LDPlayer9\dnmultiplayer.exeFilesize
1.2MB
MD5330013a714c5dc0c561301adcccd8bc8
SHA1030b1d6ac68e64dec5cbb82a75938c6ce5588466
SHA256c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a
SHA5126afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1
-
C:\LDPlayer\LDPlayer9\dnplayer.exeFilesize
3.6MB
MD52061141f3c490b5b441eff06e816a6c2
SHA1d24166db06398c6e897ff662730d3d83391fdaaa
SHA2562f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0
SHA5126b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc
-
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otfFilesize
17.4MB
MD593b877811441a5ae311762a7cb6fb1e1
SHA1339e033fd4fbb131c2d9b964354c68cd2cf18bd1
SHA256b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b
SHA5127f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4
-
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otfFilesize
103KB
MD54acd5f0e312730f1d8b8805f3699c184
SHA167c957e102bf2b2a86c5708257bc32f91c006739
SHA25672336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA5129982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exeFilesize
652KB
MD5ad9d7cbdb4b19fb65960d69126e3ff68
SHA1dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dllFilesize
1.5MB
MD566df6f7b7a98ff750aade522c22d239a
SHA1f69464fe18ed03de597bb46482ae899f43c94617
SHA25691e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f
SHA51248d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rccFilesize
5.0MB
MD5d4d2fd2ce9c5017b32fc054857227592
SHA17ee3b1127c892118cc98fb67b1d8a01748ca52d5
SHA256c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185
SHA512d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dllFilesize
2.0MB
MD501c4246df55a5fff93d086bb56110d2b
SHA1e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA51239524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dllFilesize
442KB
MD52d40f6c6a4f88c8c2685ee25b53ec00d
SHA1faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA2561d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA5124e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dllFilesize
1.2MB
MD5ba46e6e1c5861617b4d97de00149b905
SHA14affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA2562eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dllFilesize
192KB
MD552c43baddd43be63fbfb398722f3b01d
SHA1be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA2568c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA51204cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dllFilesize
511KB
MD5e8fd6da54f056363b284608c3f6a832e
SHA132e88b82fd398568517ab03b33e9765b59c4946d
SHA256b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd
SHA5124f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dllFilesize
522KB
MD53e29914113ec4b968ba5eb1f6d194a0a
SHA1557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA51275078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp120.dllFilesize
444KB
MD550260b0f19aaa7e37c4082fecef8ff41
SHA1ce672489b29baa7119881497ed5044b21ad8fe30
SHA256891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA5126f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dllFilesize
854KB
MD54ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA152693d4b5e0b55a929099b680348c3932f2c3c62
SHA256b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA51282e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr120.dllFilesize
947KB
MD550097ec217ce0ebb9b4caa09cd2cd73a
SHA18cd3018c4170072464fbcd7cba563df1fc2b884c
SHA2562a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dllFilesize
283KB
MD50054560df6c69d2067689433172088ef
SHA1a30042b77ebd7c704be0e986349030bcdb82857d
SHA25672553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0
-
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdkFilesize
35.1MB
MD54d592fd525e977bf3d832cdb1482faa0
SHA1131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef
SHA256f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6
SHA512afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E2BAFF688C7994811CD78232818FD29Filesize
2KB
MD5ddb562257c27568d2f8308b9e195b131
SHA1d342a2a251f6d4201ae7e0a010b815941a4204dc
SHA256a9dcd22d1389e0adb50c95936d8e693e93510d2079f20bcf45a6c3bb32091be6
SHA51250f01df2bb9262b9d8057a5a3e202e874ad5edc8f11462af66080499469a1344c8b2e724e0092c72c58ffad2a374a430108d3ee52885dea4802cb9e7b8af1da4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\949D2E01833511C6366A8B529939FE66_A640373CFD567F7FA24BE1FC82025C7EFilesize
314B
MD5b004643370bb11a67b587db8e9592177
SHA1a14a3c82d46d1d1ffb348e309580c101e42b9b87
SHA256e8e45978aac4b913738264eeb282557a61ef3ad27ee207c3862be23ee8d733a1
SHA512c604fe0ae8bb0f6e32622a2a18d4586c4d92c52d51342a605d15d6e9ba43634737a3efd9e2dbfd90b38c06ac932e5b6ce470158740e004422d6fb1bc5943c7fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E2BAFF688C7994811CD78232818FD29Filesize
306B
MD5be77d262a16318e6cef79441804009b7
SHA187cb0ec1b4044e39c17b5bffa243a53ce851f9de
SHA256cd1ca011e8f33d5f94b1cb8f3ca7291bfbb7e43eb703807ce27058530b14d2cd
SHA512c2ea12835de752828fc2e2354321660badae882dd1bb60a46200ef28eddf632cd48bcbc1e5d279d55c7cb6b21c20209ea84432fb3e94581d7c0d50c65d2b33d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\949D2E01833511C6366A8B529939FE66_A640373CFD567F7FA24BE1FC82025C7EFilesize
494B
MD5b76f2ce4f743b4bf7a244c3e82dcaeac
SHA100f739258d22c59e0ff30107076cb39ab46b2443
SHA256426b7246583a41b6d7ce9248a5d42c3483c0445ed70c02df8e4dc6d67821b961
SHA5121bd9d021ba4a647ed5b2dc89e1ca74d125bf085bc5a4dcc45d499fceea950660bca091b067ff53f5ff4e2a1a6a01bc3855ed05a660625156edbf1a32c1deaacb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53066a8b5ee69aa68f709bdfbb468b242
SHA1a591d71a96bf512bd2cfe17233f368e48790a401
SHA25676f6f3fcef4b1d989542e7c742ff73810c24158ac4e086cbd54f13b430cc4434
SHA512ad4d30c7be9466a797943230cb9f2ca98f76bf0f907728a0fa5526de1ed23cd5cf81b130ee402f7b3bb5de1e303b049d2867d98cf2039b5d8cb177d7a410b257
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55c4605aed5013f25a162a5054965829c
SHA14cec67cbc5ec1139df172dbc7a51fe38943360cf
SHA2565c16c584cda1f348a7030e9cab6e9db9e8e47a283dd19879f8bb6d75e170827f
SHA512bf2a5602fde0de143f9df334249fef2e36af7abeda389376a20d7613e9ccad59f2ca0447576ac1ed60ecf6ab1526c37e68c4614d79ae15c53e1774d325b4036f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50e48139ed20081ff7f81852fe5275277
SHA17ce8920f0342f8766e89d55808bb0ee6aee3ada2
SHA2565d01dddd6896ef9f7bac3307793b203a2136b869e4527d41c6d31bb74fa0bae2
SHA512c1bda2c25ded66cde7f662dda7749e85ac0ee981d74118974b4174ffc8306b370d1eaf2cf6ff02e0cd906e1655613af203ffa76322c647ee9efa8457abe0e64e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d8023f426101400949c9ac0b9ec296a4
SHA142fda1889f1eebf6137788968ae0a857da79c129
SHA2563fafb575fc9eeeb8f7e979db3ff91a66b537dee7785f418aef61b3600f82679e
SHA512773012aa596e64cb4b0b39ef4fcc3777e8753579c35af981970a6c6d3f52fdd3d4a9804d34b96c37702440201236e8b4c287c558fc66a6504f6135f8eb9678d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\148f4584-60a2-4cef-8189-c23bea5d6bcc.tmpFilesize
8KB
MD5fce513795f9bd6f57fa01c04fcbe3ab5
SHA1dbc2de4d92307bb2af59f09913e695166e6f694c
SHA2565a7aa372dabd18bfd0d0f7edc88786784b9575c78f5f2129032ae2ac6337c305
SHA5126994b6c55dc6caa4d0aabe213cbd4f28466c9d447a08510a6a92cf48428246fa2a4ddfed8a280063d758ff9bbd7c472bf4eb9364b9c319aff7216bbff427446d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0Filesize
44KB
MD5298d8e4b7263146c7ade852d4304ca78
SHA131cde4b1eef729f9f3d4e68e91bbbc272bec7b44
SHA25661a1f7013c83c9eb54e17c26fec7b4a20d13b7434ac6380fd87ed46ab6a805ce
SHA512e9073110caa6232fc055c4cff98b1b709ee8852710415da44c1e07fbd57e614dbf2e18bdde107f218302728aa04bc047f8ea270b94e38c7d0554cb2d992bd141
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1Filesize
264KB
MD52b6d9c35f6e5c3385f3e86d116b800f7
SHA151f701e6355ddf66ecfd863236567be8dfb9b379
SHA256b2195e4e0b426c2846697666a36926006a3a4cf30a69bcd80cb75aeb31bd1dcf
SHA512e9d308b49a41ad8813724dd5a0fa2d3ca1a7dcd9f3d33f92a55dfafb7634d7838fa0a3b646a048aa019bffc10e23173ed470c3f11184823d4a300d79310a8425
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2Filesize
1.0MB
MD54b0f8cfba9a5b0fb44441b0eb80c7828
SHA11ee59b4124129e0f9be0c3eb1e3564f75b396126
SHA256b325eee4a4bc728559392e4fb47c529b0372aa20979c80ada7fbb0fa59610ff5
SHA51206f41a74e94162fbab3b60ec7e0949ba677c099313bde165f02c127c4bbd958fc0a53ce86379202d820267da085370f023a04e402e351e3b68ef2efbd24f59c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3Filesize
4.0MB
MD53ddd826d0cf363e445cae43f03808c06
SHA1d313e40724d17f127b129c6720ee85e17b3792b9
SHA256362e5f5547b24c953bd0a3892cd9c93d9f8cacd75552b31204dbbbc3d5ef0c1e
SHA5121a3fdaebe250d5a11dfb2454d087863dcce1e94e70602c8db6664867433b9f6cd722e45442e21e6e0f7e9af208e4cf26ef3839d0374ccdf712a2428d7759017c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5f0c9a12024fc6057bb647aa6969f03a6
SHA121af13537b85a09314e4f428bb5fd81003737818
SHA256a6c0451c90c863a34a919eda9182188f2b917d66cc35a9e05e00813866086cbe
SHA512ab864f2415db7f91513e3c705380ae87f45a0726ea34e37d28eeb8d1cc48125dc2899384eba00d3957d4bee8936d920132ed261652e5607ae64d700a331a7079
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD57156f0a50eb501e9beff3c0e0775ed9e
SHA1107a82aa3fe35274f056772da0065972391a284c
SHA2561f5924d953886a558a34845e0d183d1ecca33c4d74ead7a9c198579a63058a06
SHA512fa97cf24453ebe921583a5a5763e36701edba0668646bb280f21e72aee4d5c7b8c6a538222e8535f0a0a64b353f9945104a2e971c9298ace7c6e8bbaf0b6d94b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
28KB
MD57cda0574aeaec28fbeb16a5b981c0612
SHA17cbd4c1273e3222c23fd66c591d9a00cc1ca38da
SHA25677547c500719f292c33580bccb685c47d321200b90f6cc00516f40f2ae43fe7a
SHA512f99ac540a7a6f54747b18451e7b20ae51be4e507cd86c99c11f4251e574bae7e9e1cfc38b782497c3c872391231b2b2b6aa915fd8e330f9ef21dfbef1143a4a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5ff7a144f481e689ea8488599ddd4b5f3
SHA187f75e434b15e620904568d2b06d0a94bb56585c
SHA2561d0e21d96d2faf2ec2b02acfad58a5b9ab63896d9ab765b0020557f8dcc8f051
SHA512a4346bb99d5edd78e7470b2f476885595fa0c07a082525b9f04c0d28708d83de6f9c8ce6396846a5f9cb0cbc6796987c9de3faa55cd9e7ac7acb6248fec5f9ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
116KB
MD5a60671568835cbcea84080c101fd482b
SHA155e85d42910f450154e1928eb6833cf7ced8348b
SHA256ca2ff0fb25d0eb4222ee21f2509c23305b2b4eeb8b8b484da489d71df010a125
SHA5128528331348802863de26cbc337b51ce7a1db923cb135ca5a5fe2f9c24bb1540e3619599358a5770efd1a508d7b2773ee8e248c8b3ca1d0dac61ab114e96706da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
1KB
MD58e0e822ce8c9df4a737c220233b2b2ab
SHA1ea7d133b6ed873e0439a681f61a0b0bf209d8355
SHA25637e72fb14b17bc4261dab6025b532114a99284e53e513fa082dc150ec2d07c7b
SHA51246a2680213a40624c2892d9ba7c1ae43be4a13cdffbcca87ce78757b0a3634c09e5c0812ca9d43743b4a6ecec69ba75af2eac8ce06e53e00abdc562399af1103
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logFilesize
6KB
MD587b3952b05ffe36ac1e469f791a5f199
SHA140d356531980179e0a9f742e0888e1bed2285a60
SHA256e6a910a6f744791640d93bec92216aa5806bc4f03024b611f6a51053e61c538b
SHA512041ec4cdada3cfd283ab29942854c7928b14ebff54bddce19e0a5c4e4cc17a1b3d51ab338ef694dcd7010f89e3a498658da9e77493c18df61f976af9c0509b34
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD57f38ae511a47a73fcd467d00407afa33
SHA1bb71893bbf6ae7a35abb121959bd6728e7227d2f
SHA256947ed8122a4dafba4fbe3e195ed2448e834d5232e63f1bff9e933d76be3b9ace
SHA512083b7d66a5314106d8862d172f473da31de9c31903d5de7a8d58cca12b3e3ad9ee3d56f49055ad6b2a7b4da87cf51ca117f27062088352f63ec73eef052ef020
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
6KB
MD5c83c6566cf39ba230b6b9c4fe6e36be4
SHA1ba53cb5754875594203b9c0a40875803c8465b21
SHA256fdfa1d528ee44852c8f1b24b10b57e17ba259b4f247ad45bcb1a609ce7e46845
SHA512f325e9d6c1bd4c0af2dda1367f4dbbab503ddcf92ba57b3ad4bd88ef59e7dba84b93f81c20f8800db775b7bee0924d1a85a9bf1c60441f54b28dea66dd286716
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
6KB
MD5002ea9f08c1fbf6f2f4a732a5cd7ba4f
SHA1b24ef77490e65374cf6c3930783c22f50334b7b4
SHA256013a3fbb60a5b1c10dd243ef6cc0bcad3c05e2fa8576eaaf47dd74540d0246b8
SHA512ec9f7b3173d35d67fc319e8db9407b69d922c3f042f0ea6daf7af21e4d40b863ff019630a71ded4f6f4131f749160e0624df9096ab0233cfc453f5a36c8efabc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5e490700fd99c2d5d8036048acee5aa7b
SHA11875e0c47405a3af344937f7622dbd6e97dfe7b8
SHA256e1d5fc95bb27e0d1a5ec56393a77266ab58a98c2ac42cd5d09520981ecb2ebed
SHA5121fe80b5227c11b142d57ed862f9ef841fa64ce187fd8abfd97be710bbd7e5ef5e99c6df9e1309d4f0ec7af0aa7f79a0ba7a9f65e52ec5a414e9f944ed2e8da03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD50fad0e70a64be2659268b91f9cc6b7f8
SHA1eb8b3e899af17aeed68f23d14d6a3428f7492362
SHA256ffd566dc532ffa170e2b224f067fe5f25d99896499e5f7c79a2acc3a1a6348f0
SHA512720eb78a45793a1b9a4d48eaa8d34eb9a00ad753a376fbec3dd22974a89be579c6fa56335517905a9b319040e168d6c9b8ce6bccc732bd1bd6a8039846601cde
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5e7df8aa19154c3bf788fe10f1ddbe505
SHA13921df2dc4e8301d8b402836af9e7c1ff886fc22
SHA25628cf00089fc2ae56185bffdc411daa24fa9de04891e021798d61f05822e416d4
SHA51225cca59dc665301d1345fb532e1b8c46c21e135db2f5ba9b31234a84fc6b3ea8e841314afff21b9e4f1ac003c9c4c69ca33f8dbcc8fba185e093b2a4e6fb9c5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD57e7630711d4e62f5583eeb86bd719eda
SHA192301605d07143e86ef8a1faaecca5875aa4de3c
SHA256aa6eb0026c733545fcdecb7c08ac3d94296d2c0d14d047240e3eb6a67e6dcfc1
SHA512653537f9f730e8ff19b32f7ba272acb403dc9fbe478cb39c2137235effb17ed56e0bee8164d1f8453310f13ec57bdc13636e47fa58159b26da6137d09d619b6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.logFilesize
2KB
MD57a24d4ff36b1a99425353d0f9f5e323c
SHA161b30763f064db6e761db152db873b5213a166aa
SHA2566c8d0ad285b7dafddadbf0f8e90a1f82e2337c0eea58adacaf0e6d35e4d4c584
SHA512316cb42e019be248e4271a8bcf52f96b9d805ba8f5885d221c1290b10305ae4cf1928ff7aa46cfe9a36a7230869ce5766bc76df8f63f79af80f642cba6dfc09e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOGFilesize
319B
MD573378677223c514d10c7324bc1b35bea
SHA1907ade2f35e8a4a18da382d461e960aad602df0e
SHA2569b9c203b3c7e39e5fea539275e2c87aaf3ec2ec1ddcbf82727fe71a1065e89a7
SHA512b2c19eb0b507018124234f00eafaa68ca7e05943b28ece6e523ffc0fc570f382b78aed55af8d0db9d3cf13049450a6dcca5a9b434bed3a8244b44877123315c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13363799664138477Filesize
15KB
MD5d7a6caaea8e0be71df3bc94686773f83
SHA1ed1ca9f4853f14f9fd26c8a463c52de9aee20223
SHA256abc8f3ea6e41ecfc40c6d496daa00504faaba94b1456b31c3d9d26ce6d0de49b
SHA51217456785d2e5b619cc41d313abf9af06dffce2e798d1a922bdf44bb6aab31b3308830256bc19dc33ed56d91b44879f4ba66ef75eac595a7c850ed836df767932
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD5142548c72d94a34547342ff40eae9896
SHA17942e14e180726f060555e592c4bfaf8784562aa
SHA2568d923adbdf582be2df59e9c43ca0572faa73bb84b6fc48a1a0ecdedf653dc552
SHA512ec0c9bbed374cdac41588a0a39e6596ae74e6869e45a9016584c5de2396428062de9b1a2b25faad69f536c3cced1452805b4cb233bfe3c39d0318203af98f753
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5459b931a1c1ee527a7aa517659e8c949
SHA1568b081751981b42b1dec3cbc02739e673a441c7
SHA256786e512d8932d73ed305cd3fdb14e3aa3600b4db0585632130c050b5be55c010
SHA512c72e6126df03d885005d05870b8d0b8c1a5c66629eec26375b5b6a8defd7b2856cc490bdde4741612b601ee0e414e4acbb1b2111b9e350d8cbb84d4351166115
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD52bfae9983afe5d6138a80cb9acf4e2d7
SHA168851a38d080c02cc51a55952379a80e5e0496c6
SHA256c5ffecdb818acb68e8c7e90e7f8e342f9b033631e5cb0aba2174f50b4d2f4c8a
SHA512c26c884d4d3a969c476efd44abd7ec9cd9a30a2ccf15407d4eecbb3287dd98986f4c02721d62cff2942bd1c59a19f294653f1fd02dd625b50b405e9871c147d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD551c5638d8c1ad781fd4f424ef66a8e56
SHA1c588b0c67363a20c2713bc9c878a980fa4ea4364
SHA256e9be9c1d4b30fb15814fec0e0655bf163dc07346e3782d3773cc9c8cc7e4b7fc
SHA512896e52f5c140c525994847047f71aa1f98e0d0cc165ec38688dd8da83ea8345784e75cae419d18f0c5cb818183107621b8527020dc2da0ab1492c075d2b537b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5be78a63ad6e0b5a80f1a74ed0f1e863b
SHA1255e17b0596fd4160705433ffefdf2714a24c67f
SHA256a2f63bfcafd3ea654520099564062166d5712ec1c45799881c7f1ff6060580e1
SHA5126bad8a2bd5294201667909eb8afa797e520abf0c90305798b50ef512497c3301553e8053aa9ccd46f45218090c8c3d24329057ca3d2cd2b4e7c46853506c493c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586925.TMPFilesize
2KB
MD50bafb421526db9ca57314623e1363de5
SHA1dfb124db95b9cfdbfb4ff18a30de896268f6d126
SHA25673b2c3298f5f5de2e5dde4c385cfe24775bf164a0c6eac936e33d9e6f95c9fac
SHA512ba352c6fc97ad53f56c2c60115f6e22513e3942fcc5e7d61bff8b6a8f9969ef8c486dc71a6654907cbcd962d47216c1cd16db750341a28cd10105f5561b0a038
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD52372a0d34b76b6db2e7c4d7bd31f2d00
SHA1050c93248e9da4a112ecf49cb09dd4a8e916a9c5
SHA25615d25b57a516686abc3f8aa0d85aec43a409d007517c6a12e6068bc851825a25
SHA5128ebfb963a90e5fbdd7d7c161e213d756c6a073dbd9f050d3f42f01447aabfb1d72b9f465e2c710626618bfdcdea64b1ef60480c6a4c7c41970158afcad80cb2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
88KB
MD521e7de246430ed1940bae1c4cd26f9e7
SHA1d4ea8bc64ce2418a2407965ff548790c95762da0
SHA2564611dde0269833613e01a2c007d937bf951a0ffb43a465e6faa748aaabcc499d
SHA51230001ee0d0db8203b6fb626af66d3ba9a57e512db8d417af9dd860227d1ee010d64da6d0c0b565685812a1d592688d8bb980fec9621121024df3532a9de8f48e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.logFilesize
4KB
MD51407c44a0a8aa263f0ae1805d194c05d
SHA1880631fe2ae10975ade17eb1d51b7c6abd3a7ca7
SHA256d25d55d02f2bc80322cd05bc9a1496aeaf6b31f812f705d45110050bc296064d
SHA512a1f15741152c1d40a2db92d96673e564ffd7ad7110265b4818c27a3a930a79aa4ff3de214d3b46f9d5669df5f8b70257e1406ceb4bd9736e790f0c7110078deb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOGFilesize
322B
MD55db6887aad3ed62bc25fab9af18b53c0
SHA12c07072a20c0cad6f640bd2872f20dcd34bb4755
SHA25656cd33871f0f51cb29fcff2d698005bd1ccef66462f9701df693399bd4e0002e
SHA512392dc10dba8fadf306e74650d8797363875157d283c9ce6a08212e84eac7e7b14c0474e8f50daa98ac921019f523ee91de768530d564a19b0ad8eab38939f414
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
340B
MD537b76ff36afd293e71a7bc1de4de1117
SHA1265eb0c2d54ec6a44cba8777ab5cdbe98463a56a
SHA25606498b37ab65a5941f84e24143bed651ccbb1f79921a4cca409d2a08866a1e7e
SHA51216a307eec6aca4b049396f3ad5acbf89d9519d0cc801848b8b6116c5d7e8044c5d8f27358a075952a40cf4b09a091a645da3e450cd68d47d5da388908ce8e146
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0Filesize
44KB
MD55ddcea204117b6e6a695deb8ed3e2d51
SHA1ffba8c7c706fe697d4f3b9cef47d7802866fb82c
SHA256c5fe9a2d38f02112de10e6c7793587ea94178866141322e2207c97ebecd3dcd7
SHA512db0f43844a3771e1e8133480233555acf66a6cf7bf4e7ca4ffd54258c908ea880adcf3cdfd656628ec7c1116f67fa2245fe0ed5fe884c4dea5f472f49330c740
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50fb878b8311938210ee204d96f6736cc
SHA156977c81e368c65d0d8fcd20e32629f008e005f9
SHA25680b0204153d0aca9963d99c4451a245fade03bc6c1e02e91edb7a690003aab9e
SHA512fbcc66ff00bfc2bab7c86659e38c0fa09bfea3a2e69fff716316c08c0ed63436dcc0ffeb5add6cbd9bacf9324b8b60368a891d214e44b59588777187b201d2a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5009ee52de8f8411e6594f4c829f70340
SHA1a794ffd79124caefdb18fb2ce50d8e2d2f693a9c
SHA2564409137dba18a09f59b975ab51d9668b9545703c665e4a8d422ada0ff04b1525
SHA512703c530e79efbf0860c953d591ee2097e67fb625b934ee8449df3cd23bc587ee9cd1d45aa10f4df7225e80a410f172e1165d8c93d39d7f3fdeeb9e34c13ca462
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5a088e65eb2312fe77ab15a4cb77b2ad5
SHA10bc501e872649b3e099dec764945bc971a69b4a3
SHA2568b77d714406d6721b7e7e09a5ac69815cbf8b64c0cc098f5633aac2b5d892da1
SHA512f4a096ed65f1359f38c038d8e69801f7548bcc735a2f4356d5e1e18991a8e37e1bce931fe6000663e9767505e37a0c9e0f434edc22d506009193fbbb638bd699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c2d1b460-abe2-4e0f-84b9-0329b3685263.tmpFilesize
11KB
MD50b8ebaa30f9d29b57a177d537925deb2
SHA11da409fd4c1e25a6c1244ab36063a7da0d656950
SHA256b60a0add8bfefcde84e79607f0c1127540b5cd69cbd161bef7c9f20dac6194cd
SHA5121d50f3ddaa81f4bc34ca7054cb3151b82062d9e79eb2a6b942ddc305b3d3049fe342f437984d94effcbcc6a8bbb5ae62f6d98e41407f3311e0cbdbe10a97b3df
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nh4u0tix.x3p.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dllFilesize
73KB
MD5b001f88504c8c9973e9a3b4dc03e6d1a
SHA1a54b3046a70a4f2c792ad6a382b637b599f1dc48
SHA2568ee4cbed114a588e934b5043f95c9c06f40468c2300fa0d1d938d16c1d46a8fd
SHA512390e53be657fc35fb2e9f41b76b3b07c161a860d72445a4b1425ca973a6d8c0f32f6de6844719c6e9813e8d949ab65263642dea01c800a00285bd45595bed4d8
-
C:\Users\Admin\Downloads\.exeFilesize
4.6MB
MD5b090c5b0e299c22ef6db97dd47c4cb93
SHA11576c0199d53126e7f7b005aabfe8555467984d6
SHA25676c7b3fd30179dcc07d3b97624d7d0a7e360992c9c56a9519d3df59406ac466b
SHA512825ba4ebd07d33e2bbee7b029d2397c0bb426e07446d2e9487d51089c6464ac1b794fae29fbc7f9662ab7c34de72c2a95ed5543170624ad84a43a3de7ae1a6d6
-
C:\Users\Admin\Downloads\Baixaki_Free Fire para PC_v2.420.27.867.2.exe:Zone.IdentifierFilesize
67B
MD590b4f32289be85d2be4ccd06db7761e5
SHA180d68153a67d5f490c7f2b336fc8daa4ed93a3ea
SHA256a876496da2edb917cf769c21e8c1e0d57ad9d9bc478a80fe6365f716ab2b1e37
SHA512af7c1208ec48f500b665ff4f5f279d6c596ba6acf7cc80e691ff1fd8508ee6f82074d14d0c72f4cbe45bf9e89d1ca7f81a5d711515621fb1fa7206d6ce0724cd
-
C:\Users\Admin\Downloads\Unconfirmed 186305.crdownloadFilesize
1.3MB
MD521bd357545f207c0cdccfd0bbf77de08
SHA185669fba2b5222efddf2c5f08a83f11745420dd6
SHA256f4cabb0638c44b174b4b203d8c03344629bf3ea5bc3b4ed346222187e8d77fa7
SHA512def2fc67e80231a4fabff71d538b5aca75e94c6173837553a3174adb78bb7d8bf29ea5600a5fdf6484419bf6b1fab0e541dfa8d0b2ab733936d571bc857a873a
-
C:\Windows\Logs\DISM\dism.logFilesize
22KB
MD523f7814355b2d2119d674baa26aecde5
SHA13043d9eb0b226a3be42b312f77ae264d9271e1c7
SHA25617ca19fb9ce6602831d1dbb28220c73e4996083888af79f3f3e12813e8036785
SHA512491e88ec51987049d9ef202b619df03a2c54705ff725921587934c44b88ae7a8f991ca441ec0042169a274c332a458eae63050eaf252572e5f814e7086c202ba
-
\??\pipe\LOCAL\crashpad_3680_GDULOCWUBWIPWZFDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/224-467-0x000000001C6E0000-0x000000001C6F2000-memory.dmpFilesize
72KB
-
memory/224-469-0x000000001C7C0000-0x000000001C7F2000-memory.dmpFilesize
200KB
-
memory/224-487-0x000000001BEA0000-0x000000001C053000-memory.dmpFilesize
1.7MB
-
memory/224-476-0x000000001BEA0000-0x000000001C053000-memory.dmpFilesize
1.7MB
-
memory/224-471-0x000000001C7A0000-0x000000001C7BA000-memory.dmpFilesize
104KB
-
memory/224-470-0x000000001C780000-0x000000001C79E000-memory.dmpFilesize
120KB
-
memory/224-463-0x0000000000FF0000-0x0000000001142000-memory.dmpFilesize
1.3MB
-
memory/224-464-0x000000001C880000-0x000000001CDA8000-memory.dmpFilesize
5.2MB
-
memory/224-465-0x000000001C710000-0x000000001C760000-memory.dmpFilesize
320KB
-
memory/224-466-0x000000001CDB0000-0x000000001CE62000-memory.dmpFilesize
712KB
-
memory/224-468-0x000000001C760000-0x000000001C780000-memory.dmpFilesize
128KB
-
memory/1128-1208-0x0000000005AF0000-0x0000000005E47000-memory.dmpFilesize
3.3MB
-
memory/1128-1212-0x000000006E920000-0x000000006E96C000-memory.dmpFilesize
304KB
-
memory/2500-1192-0x0000000006B10000-0x0000000006B2E000-memory.dmpFilesize
120KB
-
memory/2500-1179-0x0000000006090000-0x00000000063E7000-memory.dmpFilesize
3.3MB
-
memory/2500-1182-0x00000000074F0000-0x0000000007524000-memory.dmpFilesize
208KB
-
memory/2500-1199-0x0000000007AB0000-0x0000000007ABE000-memory.dmpFilesize
56KB
-
memory/2500-1183-0x000000006E920000-0x000000006E96C000-memory.dmpFilesize
304KB
-
memory/2500-1200-0x0000000007B90000-0x0000000007BAA000-memory.dmpFilesize
104KB
-
memory/2500-1198-0x0000000007A70000-0x0000000007A81000-memory.dmpFilesize
68KB
-
memory/2500-1197-0x0000000007AF0000-0x0000000007B86000-memory.dmpFilesize
600KB
-
memory/2500-1196-0x00000000078E0000-0x00000000078EA000-memory.dmpFilesize
40KB
-
memory/2500-1181-0x0000000006550000-0x000000000659C000-memory.dmpFilesize
304KB
-
memory/2500-1180-0x0000000006530000-0x000000000654E000-memory.dmpFilesize
120KB
-
memory/2500-1193-0x0000000007730000-0x00000000077D4000-memory.dmpFilesize
656KB
-
memory/2500-1168-0x0000000005880000-0x00000000058A2000-memory.dmpFilesize
136KB
-
memory/2500-1169-0x0000000005920000-0x0000000005986000-memory.dmpFilesize
408KB
-
memory/2500-1170-0x0000000005990000-0x00000000059F6000-memory.dmpFilesize
408KB
-
memory/2500-1167-0x0000000005A60000-0x000000000608A000-memory.dmpFilesize
6.2MB
-
memory/2500-1166-0x0000000002D10000-0x0000000002D46000-memory.dmpFilesize
216KB
-
memory/2500-1195-0x0000000007860000-0x000000000787A000-memory.dmpFilesize
104KB
-
memory/2500-1194-0x0000000007EB0000-0x000000000852A000-memory.dmpFilesize
6.5MB
-
memory/2804-1231-0x000000006E920000-0x000000006E96C000-memory.dmpFilesize
304KB
-
memory/2804-1222-0x0000000005480000-0x00000000057D7000-memory.dmpFilesize
3.3MB
-
memory/3124-1349-0x0000000036960000-0x0000000036970000-memory.dmpFilesize
64KB