hxxps://www[.]baixaki[.]com[.]br/jogos/rpg/free-fire-pc/windows

Analysis

max time kernel
204s
max time network
204s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.baixaki.com.br/jogos/rpg/free-fire-pc/windows

Score

8^/10

discovery execution exploit persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Decode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4356 takeown.exe
3548 icacls.exe
636 takeown.exe
5004 icacls.exe
4852 takeown.exe
200 icacls.exe
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

pid	process
4356	takeown.exe
3548	icacls.exe
636	takeown.exe
5004	icacls.exe
4852	takeown.exe
200	icacls.exe

Executes dropped EXE 17 IoCs

Processes:

Baixaki_Free Fire para PC_v2.420.27.867.2.exe.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exe

pid	process
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
900	.exe
2272	LDPlayer.exe
4864	dnrepairer.exe
1496	dismhost.exe
3948	Ld9BoxSVC.exe
4820	driverconfig.exe
3124	dnplayer.exe
1820	Ld9BoxSVC.exe
1888	vbox-img.exe
200	vbox-img.exe
2604	vbox-img.exe
2316	Ld9BoxHeadless.exe
2056	Ld9BoxHeadless.exe
3112	Ld9BoxHeadless.exe
4856	Ld9BoxHeadless.exe
1156	Ld9BoxHeadless.exe

Loads dropped DLL 64 IoCs

Processes:

dnrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
4864	dnrepairer.exe
4864	dnrepairer.exe
4864	dnrepairer.exe
4864	dnrepairer.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
3948	Ld9BoxSVC.exe
1848	regsvr32.exe
1848	regsvr32.exe
1848	regsvr32.exe
1848	regsvr32.exe
1848	regsvr32.exe
1848	regsvr32.exe
1848	regsvr32.exe
1848	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
1608	regsvr32.exe
1608	regsvr32.exe
1608	regsvr32.exe
1608	regsvr32.exe
1608	regsvr32.exe
1608	regsvr32.exe
1608	regsvr32.exe
1608	regsvr32.exe
2996	regsvr32.exe
2996	regsvr32.exe
2996	regsvr32.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

636 takeown.exe
5004 icacls.exe
4852 takeown.exe
200 icacls.exe
4356 takeown.exe
3548 icacls.exe

pid	process
636	takeown.exe
5004	icacls.exe
4852	takeown.exe
200	icacls.exe
4356	takeown.exe
3548	icacls.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

Processes:

Baixaki_Free Fire para PC_v2.420.27.867.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	Baixaki_Free Fire para PC_v2.420.27.867.2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

dnrepairer.exe

description	ioc	process
File created	C:\Program Files\ldplayer9box\NetFltInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\capi.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dpinst_86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-math-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libssl-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDbg.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libeay32.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSDL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxTestOGL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vbox-img.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCAPI.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRes.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qminimal.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-process-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\host_manager.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTIsoMaker.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI64.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp100.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

Processes:

dism.exedismhost.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe
File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

276 sc.exe
4936 sc.exe
2112 sc.exe
968 sc.exe
4580 sc.exe
4720 sc.exe
2720 sc.exe
2112 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

pid	process
276	sc.exe
4936	sc.exe
2112	sc.exe
968	sc.exe
4580	sc.exe
4720	sc.exe
2720	sc.exe
2112	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dnplayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1840 taskkill.exe
3140 taskkill.exe
4632 taskkill.exe
4804 taskkill.exe
3464 taskkill.exe

pid	process
1840	taskkill.exe
3140	taskkill.exe
4632	taskkill.exe
4804	taskkill.exe
3464	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

dnplayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeLd9BoxSVC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0D96-40ED-AE46-A564D484325E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9}\ = "IDirectory"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1207-4179-94CF-CA250036308F}\ = "IGuestFileOffsetChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-394D-44D3-9EDB-AF2C4472C40A}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ = "IDHCPServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ = "IGuestProcessStateChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-dc80-5535-6fb116815604}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ = "IBandwidthGroupChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1BCF-4218-9807-04E036CC70F1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1BCF-4218-9807-04E036CC70F1}\ = "IProgressPercentageChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ = "IMouse"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC}\ = "INATEngine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FEBE-4049-B476-1292A8E45B09}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E1B7-4339-A549-F0878115596E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4a06-81fc-a916-78b2da1fa0e5}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6FA-430E-6020-6A505D086387}\NumMethods\ = "34"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\NumMethods\ = "15"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ = "IVBoxSVCAvailabilityChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4453-4f3e-c9b8-5686939c80b6}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\NumMethods\ = "32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\ = "IGuestFileReadEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4f9c-b0d5-53054496dbe0}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\ = "IConsole"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-477A-2497-6759-88B8292A5AF0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\NumMethods\ = "15"	regsvr32.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 186305.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Baixaki_Free Fire para PC_v2.420.27.867.2.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeBaixaki_Free Fire para PC_v2.420.27.867.2.exemsedge.exemsedge.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exe.exe

pid	process
3460	msedge.exe
3460	msedge.exe
3680	msedge.exe
3680	msedge.exe
2584	identity_helper.exe
2584	identity_helper.exe
2452	msedge.exe
2452	msedge.exe
2356	msedge.exe
2356	msedge.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
4436	msedge.exe
4436	msedge.exe
5076	msedge.exe
5076	msedge.exe
2272	LDPlayer.exe
2272	LDPlayer.exe
2272	LDPlayer.exe
2272	LDPlayer.exe
2272	LDPlayer.exe
2272	LDPlayer.exe
2272	LDPlayer.exe
2272	LDPlayer.exe
4864	dnrepairer.exe
4864	dnrepairer.exe
2500	powershell.exe
2500	powershell.exe
1128	powershell.exe
1128	powershell.exe
2804	powershell.exe
2804	powershell.exe
2272	LDPlayer.exe
2272	LDPlayer.exe
900	.exe
900	.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

676
676
676
676
676
676

pid	process
676
676
676
676
676
676

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exemsedge.exe

pid	process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Baixaki_Free Fire para PC_v2.420.27.867.2.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exe

description	pid	process
Token: SeDebugPrivilege	224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
Token: SeShutdownPrivilege	224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
Token: SeCreatePagefilePrivilege	224	Baixaki_Free Fire para PC_v2.420.27.867.2.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeTakeOwnershipPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe
Token: SeDebugPrivilege	2272	LDPlayer.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exemsedge.exednplayer.exe

pid	process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
3124	dnplayer.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

msedge.exemsedge.exednplayer.exe

pid	process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
5076	msedge.exe
3124	dnplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3680 wrote to memory of 4920	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4920	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 4028	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 3460	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 3460	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe
PID 3680 wrote to memory of 1924	3680	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.baixaki.com.br/jogos/rpg/free-fire-pc/windows
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8524a3cb8,0x7ff8524a3cc8,0x7ff8524a3cd8
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
2⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
2⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
2⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
2⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5784 /prefetch:8
2⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
2⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:1
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
2⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
2⤵
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
2⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
2⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
2⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
2⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,9231318448705696982,10596734061726577368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D4
1⤵
PID:1488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3696

C:\Users\Admin\Downloads\Baixaki_Free Fire para PC_v2.420.27.867.2.exe
"C:\Users\Admin\Downloads\Baixaki_Free Fire para PC_v2.420.27.867.2.exe"
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.baixaki.com.br/portal/redir-partners.htm
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8524a3cb8,0x7ff8524a3cc8,0x7ff8524a3cd8
3⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
3⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
3⤵
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
3⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
3⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12677789704522075138,4701861539349966310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
3⤵
PID:4592

C:\Users\Admin\Downloads\.exe
"C:\Users\Admin\Downloads\.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnupdate.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=100 -language=en -path="C:\LDPlayer\LDPlayer9\"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=328284
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4864

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
4⤵
PID:1920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
5⤵
PID:2952

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
4⤵
- Manipulates Digital Signatures
PID:3752

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
4⤵
- Manipulates Digital Signatures
PID:1588

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
4⤵
PID:484

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
4⤵
PID:5040

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
4⤵
PID:4200

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
4⤵
PID:2176

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
4⤵
- Manipulates Digital Signatures
PID:1564

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4356

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3548

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:636

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5004

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
4⤵
- Drops file in Windows directory
PID:3760

C:\Users\Admin\AppData\Local\Temp\EB4356BB-EC21-4818-8F4E-D2A7E1A9A776\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\EB4356BB-EC21-4818-8F4E-D2A7E1A9A776\dismhost.exe {7649B96C-3691-4525-BB03-DCA53A5C17EB}
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1496

C:\Windows\SysWOW64\sc.exe
sc query HvHost
4⤵
- Launches sc.exe
PID:4936

C:\Windows\SysWOW64\sc.exe
sc query vmms
4⤵
- Launches sc.exe
PID:2112

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
4⤵
- Launches sc.exe
PID:968

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3948

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
4⤵
- Loads dropped DLL
PID:1848

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
4⤵
- Loads dropped DLL
PID:4564

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1608

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2996

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
4⤵
- Launches sc.exe
PID:4580

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
4⤵
- Launches sc.exe
PID:4720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
3⤵
- Executes dropped EXE
PID:4820

C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4852

C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:200

C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\\dnplayer.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3124

C:\Windows\SysWOW64\sc.exe
sc query HvHost
3⤵
- Launches sc.exe
PID:2720

C:\Windows\SysWOW64\sc.exe
sc query vmms
3⤵
- Launches sc.exe
PID:2112

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
3⤵
- Launches sc.exe
PID:276

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
3⤵
- Executes dropped EXE
PID:1888

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
3⤵
- Executes dropped EXE
PID:200

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
3⤵
- Executes dropped EXE
PID:2604

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM ldcurl.exe /T
2⤵
- Kills process with taskkill
PID:3464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1820

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2316

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2056

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:3112

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:4856

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
Filesize
1.2MB

MD5
330013a714c5dc0c561301adcccd8bc8

SHA1
030b1d6ac68e64dec5cbb82a75938c6ce5588466

SHA256
c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a

SHA512
6afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe
Filesize
3.6MB

MD5
2061141f3c490b5b441eff06e816a6c2

SHA1
d24166db06398c6e897ff662730d3d83391fdaaa

SHA256
2f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0

SHA512
6b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf
Filesize
17.4MB

MD5
93b877811441a5ae311762a7cb6fb1e1

SHA1
339e033fd4fbb131c2d9b964354c68cd2cf18bd1

SHA256
b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b

SHA512
7f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4

Download Submit
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc
Filesize
5.0MB

MD5
d4d2fd2ce9c5017b32fc054857227592

SHA1
7ee3b1127c892118cc98fb67b1d8a01748ca52d5

SHA256
c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185

SHA512
d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll
Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp120.dll
Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr120.dll
Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E2BAFF688C7994811CD78232818FD29
Filesize
2KB

MD5
ddb562257c27568d2f8308b9e195b131

SHA1
d342a2a251f6d4201ae7e0a010b815941a4204dc

SHA256
a9dcd22d1389e0adb50c95936d8e693e93510d2079f20bcf45a6c3bb32091be6

SHA512
50f01df2bb9262b9d8057a5a3e202e874ad5edc8f11462af66080499469a1344c8b2e724e0092c72c58ffad2a374a430108d3ee52885dea4802cb9e7b8af1da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\949D2E01833511C6366A8B529939FE66_A640373CFD567F7FA24BE1FC82025C7E
Filesize
314B

MD5
b004643370bb11a67b587db8e9592177

SHA1
a14a3c82d46d1d1ffb348e309580c101e42b9b87

SHA256
e8e45978aac4b913738264eeb282557a61ef3ad27ee207c3862be23ee8d733a1

SHA512
c604fe0ae8bb0f6e32622a2a18d4586c4d92c52d51342a605d15d6e9ba43634737a3efd9e2dbfd90b38c06ac932e5b6ce470158740e004422d6fb1bc5943c7fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E2BAFF688C7994811CD78232818FD29
Filesize
306B

MD5
be77d262a16318e6cef79441804009b7

SHA1
87cb0ec1b4044e39c17b5bffa243a53ce851f9de

SHA256
cd1ca011e8f33d5f94b1cb8f3ca7291bfbb7e43eb703807ce27058530b14d2cd

SHA512
c2ea12835de752828fc2e2354321660badae882dd1bb60a46200ef28eddf632cd48bcbc1e5d279d55c7cb6b21c20209ea84432fb3e94581d7c0d50c65d2b33d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\949D2E01833511C6366A8B529939FE66_A640373CFD567F7FA24BE1FC82025C7E
Filesize
494B

MD5
b76f2ce4f743b4bf7a244c3e82dcaeac

SHA1
00f739258d22c59e0ff30107076cb39ab46b2443

SHA256
426b7246583a41b6d7ce9248a5d42c3483c0445ed70c02df8e4dc6d67821b961

SHA512
1bd9d021ba4a647ed5b2dc89e1ca74d125bf085bc5a4dcc45d499fceea950660bca091b067ff53f5ff4e2a1a6a01bc3855ed05a660625156edbf1a32c1deaacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3066a8b5ee69aa68f709bdfbb468b242

SHA1
a591d71a96bf512bd2cfe17233f368e48790a401

SHA256
76f6f3fcef4b1d989542e7c742ff73810c24158ac4e086cbd54f13b430cc4434

SHA512
ad4d30c7be9466a797943230cb9f2ca98f76bf0f907728a0fa5526de1ed23cd5cf81b130ee402f7b3bb5de1e303b049d2867d98cf2039b5d8cb177d7a410b257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5c4605aed5013f25a162a5054965829c

SHA1
4cec67cbc5ec1139df172dbc7a51fe38943360cf

SHA256
5c16c584cda1f348a7030e9cab6e9db9e8e47a283dd19879f8bb6d75e170827f

SHA512
bf2a5602fde0de143f9df334249fef2e36af7abeda389376a20d7613e9ccad59f2ca0447576ac1ed60ecf6ab1526c37e68c4614d79ae15c53e1774d325b4036f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0e48139ed20081ff7f81852fe5275277

SHA1
7ce8920f0342f8766e89d55808bb0ee6aee3ada2

SHA256
5d01dddd6896ef9f7bac3307793b203a2136b869e4527d41c6d31bb74fa0bae2

SHA512
c1bda2c25ded66cde7f662dda7749e85ac0ee981d74118974b4174ffc8306b370d1eaf2cf6ff02e0cd906e1655613af203ffa76322c647ee9efa8457abe0e64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d8023f426101400949c9ac0b9ec296a4

SHA1
42fda1889f1eebf6137788968ae0a857da79c129

SHA256
3fafb575fc9eeeb8f7e979db3ff91a66b537dee7785f418aef61b3600f82679e

SHA512
773012aa596e64cb4b0b39ef4fcc3777e8753579c35af981970a6c6d3f52fdd3d4a9804d34b96c37702440201236e8b4c287c558fc66a6504f6135f8eb9678d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\148f4584-60a2-4cef-8189-c23bea5d6bcc.tmp
Filesize
8KB

MD5
fce513795f9bd6f57fa01c04fcbe3ab5

SHA1
dbc2de4d92307bb2af59f09913e695166e6f694c

SHA256
5a7aa372dabd18bfd0d0f7edc88786784b9575c78f5f2129032ae2ac6337c305

SHA512
6994b6c55dc6caa4d0aabe213cbd4f28466c9d447a08510a6a92cf48428246fa2a4ddfed8a280063d758ff9bbd7c472bf4eb9364b9c319aff7216bbff427446d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
298d8e4b7263146c7ade852d4304ca78

SHA1
31cde4b1eef729f9f3d4e68e91bbbc272bec7b44

SHA256
61a1f7013c83c9eb54e17c26fec7b4a20d13b7434ac6380fd87ed46ab6a805ce

SHA512
e9073110caa6232fc055c4cff98b1b709ee8852710415da44c1e07fbd57e614dbf2e18bdde107f218302728aa04bc047f8ea270b94e38c7d0554cb2d992bd141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
2b6d9c35f6e5c3385f3e86d116b800f7

SHA1
51f701e6355ddf66ecfd863236567be8dfb9b379

SHA256
b2195e4e0b426c2846697666a36926006a3a4cf30a69bcd80cb75aeb31bd1dcf

SHA512
e9d308b49a41ad8813724dd5a0fa2d3ca1a7dcd9f3d33f92a55dfafb7634d7838fa0a3b646a048aa019bffc10e23173ed470c3f11184823d4a300d79310a8425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
Filesize
1.0MB

MD5
4b0f8cfba9a5b0fb44441b0eb80c7828

SHA1
1ee59b4124129e0f9be0c3eb1e3564f75b396126

SHA256
b325eee4a4bc728559392e4fb47c529b0372aa20979c80ada7fbb0fa59610ff5

SHA512
06f41a74e94162fbab3b60ec7e0949ba677c099313bde165f02c127c4bbd958fc0a53ce86379202d820267da085370f023a04e402e351e3b68ef2efbd24f59c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
3ddd826d0cf363e445cae43f03808c06

SHA1
d313e40724d17f127b129c6720ee85e17b3792b9

SHA256
362e5f5547b24c953bd0a3892cd9c93d9f8cacd75552b31204dbbbc3d5ef0c1e

SHA512
1a3fdaebe250d5a11dfb2454d087863dcce1e94e70602c8db6664867433b9f6cd722e45442e21e6e0f7e9af208e4cf26ef3839d0374ccdf712a2428d7759017c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
f0c9a12024fc6057bb647aa6969f03a6

SHA1
21af13537b85a09314e4f428bb5fd81003737818

SHA256
a6c0451c90c863a34a919eda9182188f2b917d66cc35a9e05e00813866086cbe

SHA512
ab864f2415db7f91513e3c705380ae87f45a0726ea34e37d28eeb8d1cc48125dc2899384eba00d3957d4bee8936d920132ed261652e5607ae64d700a331a7079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
7156f0a50eb501e9beff3c0e0775ed9e

SHA1
107a82aa3fe35274f056772da0065972391a284c

SHA256
1f5924d953886a558a34845e0d183d1ecca33c4d74ead7a9c198579a63058a06

SHA512
fa97cf24453ebe921583a5a5763e36701edba0668646bb280f21e72aee4d5c7b8c6a538222e8535f0a0a64b353f9945104a2e971c9298ace7c6e8bbaf0b6d94b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
28KB

MD5
7cda0574aeaec28fbeb16a5b981c0612

SHA1
7cbd4c1273e3222c23fd66c591d9a00cc1ca38da

SHA256
77547c500719f292c33580bccb685c47d321200b90f6cc00516f40f2ae43fe7a

SHA512
f99ac540a7a6f54747b18451e7b20ae51be4e507cd86c99c11f4251e574bae7e9e1cfc38b782497c3c872391231b2b2b6aa915fd8e330f9ef21dfbef1143a4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
ff7a144f481e689ea8488599ddd4b5f3

SHA1
87f75e434b15e620904568d2b06d0a94bb56585c

SHA256
1d0e21d96d2faf2ec2b02acfad58a5b9ab63896d9ab765b0020557f8dcc8f051

SHA512
a4346bb99d5edd78e7470b2f476885595fa0c07a082525b9f04c0d28708d83de6f9c8ce6396846a5f9cb0cbc6796987c9de3faa55cd9e7ac7acb6248fec5f9ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
116KB

MD5
a60671568835cbcea84080c101fd482b

SHA1
55e85d42910f450154e1928eb6833cf7ced8348b

SHA256
ca2ff0fb25d0eb4222ee21f2509c23305b2b4eeb8b8b484da489d71df010a125

SHA512
8528331348802863de26cbc337b51ce7a1db923cb135ca5a5fe2f9c24bb1540e3619599358a5770efd1a508d7b2773ee8e248c8b3ca1d0dac61ab114e96706da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
1KB

MD5
8e0e822ce8c9df4a737c220233b2b2ab

SHA1
ea7d133b6ed873e0439a681f61a0b0bf209d8355

SHA256
37e72fb14b17bc4261dab6025b532114a99284e53e513fa082dc150ec2d07c7b

SHA512
46a2680213a40624c2892d9ba7c1ae43be4a13cdffbcca87ce78757b0a3634c09e5c0812ca9d43743b4a6ecec69ba75af2eac8ce06e53e00abdc562399af1103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
Filesize
6KB

MD5
87b3952b05ffe36ac1e469f791a5f199

SHA1
40d356531980179e0a9f742e0888e1bed2285a60

SHA256
e6a910a6f744791640d93bec92216aa5806bc4f03024b611f6a51053e61c538b

SHA512
041ec4cdada3cfd283ab29942854c7928b14ebff54bddce19e0a5c4e4cc17a1b3d51ab338ef694dcd7010f89e3a498658da9e77493c18df61f976af9c0509b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
7f38ae511a47a73fcd467d00407afa33

SHA1
bb71893bbf6ae7a35abb121959bd6728e7227d2f

SHA256
947ed8122a4dafba4fbe3e195ed2448e834d5232e63f1bff9e933d76be3b9ace

SHA512
083b7d66a5314106d8862d172f473da31de9c31903d5de7a8d58cca12b3e3ad9ee3d56f49055ad6b2a7b4da87cf51ca117f27062088352f63ec73eef052ef020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
6KB

MD5
c83c6566cf39ba230b6b9c4fe6e36be4

SHA1
ba53cb5754875594203b9c0a40875803c8465b21

SHA256
fdfa1d528ee44852c8f1b24b10b57e17ba259b4f247ad45bcb1a609ce7e46845

SHA512
f325e9d6c1bd4c0af2dda1367f4dbbab503ddcf92ba57b3ad4bd88ef59e7dba84b93f81c20f8800db775b7bee0924d1a85a9bf1c60441f54b28dea66dd286716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
6KB

MD5
002ea9f08c1fbf6f2f4a732a5cd7ba4f

SHA1
b24ef77490e65374cf6c3930783c22f50334b7b4

SHA256
013a3fbb60a5b1c10dd243ef6cc0bcad3c05e2fa8576eaaf47dd74540d0246b8

SHA512
ec9f7b3173d35d67fc319e8db9407b69d922c3f042f0ea6daf7af21e4d40b863ff019630a71ded4f6f4131f749160e0624df9096ab0233cfc453f5a36c8efabc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
e490700fd99c2d5d8036048acee5aa7b

SHA1
1875e0c47405a3af344937f7622dbd6e97dfe7b8

SHA256
e1d5fc95bb27e0d1a5ec56393a77266ab58a98c2ac42cd5d09520981ecb2ebed

SHA512
1fe80b5227c11b142d57ed862f9ef841fa64ce187fd8abfd97be710bbd7e5ef5e99c6df9e1309d4f0ec7af0aa7f79a0ba7a9f65e52ec5a414e9f944ed2e8da03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
0fad0e70a64be2659268b91f9cc6b7f8

SHA1
eb8b3e899af17aeed68f23d14d6a3428f7492362

SHA256
ffd566dc532ffa170e2b224f067fe5f25d99896499e5f7c79a2acc3a1a6348f0

SHA512
720eb78a45793a1b9a4d48eaa8d34eb9a00ad753a376fbec3dd22974a89be579c6fa56335517905a9b319040e168d6c9b8ce6bccc732bd1bd6a8039846601cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
e7df8aa19154c3bf788fe10f1ddbe505

SHA1
3921df2dc4e8301d8b402836af9e7c1ff886fc22

SHA256
28cf00089fc2ae56185bffdc411daa24fa9de04891e021798d61f05822e416d4

SHA512
25cca59dc665301d1345fb532e1b8c46c21e135db2f5ba9b31234a84fc6b3ea8e841314afff21b9e4f1ac003c9c4c69ca33f8dbcc8fba185e093b2a4e6fb9c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7e7630711d4e62f5583eeb86bd719eda

SHA1
92301605d07143e86ef8a1faaecca5875aa4de3c

SHA256
aa6eb0026c733545fcdecb7c08ac3d94296d2c0d14d047240e3eb6a67e6dcfc1

SHA512
653537f9f730e8ff19b32f7ba272acb403dc9fbe478cb39c2137235effb17ed56e0bee8164d1f8453310f13ec57bdc13636e47fa58159b26da6137d09d619b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
Filesize
2KB

MD5
7a24d4ff36b1a99425353d0f9f5e323c

SHA1
61b30763f064db6e761db152db873b5213a166aa

SHA256
6c8d0ad285b7dafddadbf0f8e90a1f82e2337c0eea58adacaf0e6d35e4d4c584

SHA512
316cb42e019be248e4271a8bcf52f96b9d805ba8f5885d221c1290b10305ae4cf1928ff7aa46cfe9a36a7230869ce5766bc76df8f63f79af80f642cba6dfc09e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
319B

MD5
73378677223c514d10c7324bc1b35bea

SHA1
907ade2f35e8a4a18da382d461e960aad602df0e

SHA256
9b9c203b3c7e39e5fea539275e2c87aaf3ec2ec1ddcbf82727fe71a1065e89a7

SHA512
b2c19eb0b507018124234f00eafaa68ca7e05943b28ece6e523ffc0fc570f382b78aed55af8d0db9d3cf13049450a6dcca5a9b434bed3a8244b44877123315c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13363799664138477
Filesize
15KB

MD5
d7a6caaea8e0be71df3bc94686773f83

SHA1
ed1ca9f4853f14f9fd26c8a463c52de9aee20223

SHA256
abc8f3ea6e41ecfc40c6d496daa00504faaba94b1456b31c3d9d26ce6d0de49b

SHA512
17456785d2e5b619cc41d313abf9af06dffce2e798d1a922bdf44bb6aab31b3308830256bc19dc33ed56d91b44879f4ba66ef75eac595a7c850ed836df767932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
142548c72d94a34547342ff40eae9896

SHA1
7942e14e180726f060555e592c4bfaf8784562aa

SHA256
8d923adbdf582be2df59e9c43ca0572faa73bb84b6fc48a1a0ecdedf653dc552

SHA512
ec0c9bbed374cdac41588a0a39e6596ae74e6869e45a9016584c5de2396428062de9b1a2b25faad69f536c3cced1452805b4cb233bfe3c39d0318203af98f753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
459b931a1c1ee527a7aa517659e8c949

SHA1
568b081751981b42b1dec3cbc02739e673a441c7

SHA256
786e512d8932d73ed305cd3fdb14e3aa3600b4db0585632130c050b5be55c010

SHA512
c72e6126df03d885005d05870b8d0b8c1a5c66629eec26375b5b6a8defd7b2856cc490bdde4741612b601ee0e414e4acbb1b2111b9e350d8cbb84d4351166115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
2bfae9983afe5d6138a80cb9acf4e2d7

SHA1
68851a38d080c02cc51a55952379a80e5e0496c6

SHA256
c5ffecdb818acb68e8c7e90e7f8e342f9b033631e5cb0aba2174f50b4d2f4c8a

SHA512
c26c884d4d3a969c476efd44abd7ec9cd9a30a2ccf15407d4eecbb3287dd98986f4c02721d62cff2942bd1c59a19f294653f1fd02dd625b50b405e9871c147d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
51c5638d8c1ad781fd4f424ef66a8e56

SHA1
c588b0c67363a20c2713bc9c878a980fa4ea4364

SHA256
e9be9c1d4b30fb15814fec0e0655bf163dc07346e3782d3773cc9c8cc7e4b7fc

SHA512
896e52f5c140c525994847047f71aa1f98e0d0cc165ec38688dd8da83ea8345784e75cae419d18f0c5cb818183107621b8527020dc2da0ab1492c075d2b537b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
be78a63ad6e0b5a80f1a74ed0f1e863b

SHA1
255e17b0596fd4160705433ffefdf2714a24c67f

SHA256
a2f63bfcafd3ea654520099564062166d5712ec1c45799881c7f1ff6060580e1

SHA512
6bad8a2bd5294201667909eb8afa797e520abf0c90305798b50ef512497c3301553e8053aa9ccd46f45218090c8c3d24329057ca3d2cd2b4e7c46853506c493c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586925.TMP
Filesize
2KB

MD5
0bafb421526db9ca57314623e1363de5

SHA1
dfb124db95b9cfdbfb4ff18a30de896268f6d126

SHA256
73b2c3298f5f5de2e5dde4c385cfe24775bf164a0c6eac936e33d9e6f95c9fac

SHA512
ba352c6fc97ad53f56c2c60115f6e22513e3942fcc5e7d61bff8b6a8f9969ef8c486dc71a6654907cbcd962d47216c1cd16db750341a28cd10105f5561b0a038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
2372a0d34b76b6db2e7c4d7bd31f2d00

SHA1
050c93248e9da4a112ecf49cb09dd4a8e916a9c5

SHA256
15d25b57a516686abc3f8aa0d85aec43a409d007517c6a12e6068bc851825a25

SHA512
8ebfb963a90e5fbdd7d7c161e213d756c6a073dbd9f050d3f42f01447aabfb1d72b9f465e2c710626618bfdcdea64b1ef60480c6a4c7c41970158afcad80cb2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
88KB

MD5
21e7de246430ed1940bae1c4cd26f9e7

SHA1
d4ea8bc64ce2418a2407965ff548790c95762da0

SHA256
4611dde0269833613e01a2c007d937bf951a0ffb43a465e6faa748aaabcc499d

SHA512
30001ee0d0db8203b6fb626af66d3ba9a57e512db8d417af9dd860227d1ee010d64da6d0c0b565685812a1d592688d8bb980fec9621121024df3532a9de8f48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
4KB

MD5
1407c44a0a8aa263f0ae1805d194c05d

SHA1
880631fe2ae10975ade17eb1d51b7c6abd3a7ca7

SHA256
d25d55d02f2bc80322cd05bc9a1496aeaf6b31f812f705d45110050bc296064d

SHA512
a1f15741152c1d40a2db92d96673e564ffd7ad7110265b4818c27a3a930a79aa4ff3de214d3b46f9d5669df5f8b70257e1406ceb4bd9736e790f0c7110078deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
322B

MD5
5db6887aad3ed62bc25fab9af18b53c0

SHA1
2c07072a20c0cad6f640bd2872f20dcd34bb4755

SHA256
56cd33871f0f51cb29fcff2d698005bd1ccef66462f9701df693399bd4e0002e

SHA512
392dc10dba8fadf306e74650d8797363875157d283c9ce6a08212e84eac7e7b14c0474e8f50daa98ac921019f523ee91de768530d564a19b0ad8eab38939f414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
340B

MD5
37b76ff36afd293e71a7bc1de4de1117

SHA1
265eb0c2d54ec6a44cba8777ab5cdbe98463a56a

SHA256
06498b37ab65a5941f84e24143bed651ccbb1f79921a4cca409d2a08866a1e7e

SHA512
16a307eec6aca4b049396f3ad5acbf89d9519d0cc801848b8b6116c5d7e8044c5d8f27358a075952a40cf4b09a091a645da3e450cd68d47d5da388908ce8e146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
5ddcea204117b6e6a695deb8ed3e2d51

SHA1
ffba8c7c706fe697d4f3b9cef47d7802866fb82c

SHA256
c5fe9a2d38f02112de10e6c7793587ea94178866141322e2207c97ebecd3dcd7

SHA512
db0f43844a3771e1e8133480233555acf66a6cf7bf4e7ca4ffd54258c908ea880adcf3cdfd656628ec7c1116f67fa2245fe0ed5fe884c4dea5f472f49330c740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0fb878b8311938210ee204d96f6736cc

SHA1
56977c81e368c65d0d8fcd20e32629f008e005f9

SHA256
80b0204153d0aca9963d99c4451a245fade03bc6c1e02e91edb7a690003aab9e

SHA512
fbcc66ff00bfc2bab7c86659e38c0fa09bfea3a2e69fff716316c08c0ed63436dcc0ffeb5add6cbd9bacf9324b8b60368a891d214e44b59588777187b201d2a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
009ee52de8f8411e6594f4c829f70340

SHA1
a794ffd79124caefdb18fb2ce50d8e2d2f693a9c

SHA256
4409137dba18a09f59b975ab51d9668b9545703c665e4a8d422ada0ff04b1525

SHA512
703c530e79efbf0860c953d591ee2097e67fb625b934ee8449df3cd23bc587ee9cd1d45aa10f4df7225e80a410f172e1165d8c93d39d7f3fdeeb9e34c13ca462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
a088e65eb2312fe77ab15a4cb77b2ad5

SHA1
0bc501e872649b3e099dec764945bc971a69b4a3

SHA256
8b77d714406d6721b7e7e09a5ac69815cbf8b64c0cc098f5633aac2b5d892da1

SHA512
f4a096ed65f1359f38c038d8e69801f7548bcc735a2f4356d5e1e18991a8e37e1bce931fe6000663e9767505e37a0c9e0f434edc22d506009193fbbb638bd699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c2d1b460-abe2-4e0f-84b9-0329b3685263.tmp
Filesize
11KB

MD5
0b8ebaa30f9d29b57a177d537925deb2

SHA1
1da409fd4c1e25a6c1244ab36063a7da0d656950

SHA256
b60a0add8bfefcde84e79607f0c1127540b5cd69cbd161bef7c9f20dac6194cd

SHA512
1d50f3ddaa81f4bc34ca7054cb3151b82062d9e79eb2a6b942ddc305b3d3049fe342f437984d94effcbcc6a8bbb5ae62f6d98e41407f3311e0cbdbe10a97b3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nh4u0tix.x3p.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
Filesize
73KB

MD5
b001f88504c8c9973e9a3b4dc03e6d1a

SHA1
a54b3046a70a4f2c792ad6a382b637b599f1dc48

SHA256
8ee4cbed114a588e934b5043f95c9c06f40468c2300fa0d1d938d16c1d46a8fd

SHA512
390e53be657fc35fb2e9f41b76b3b07c161a860d72445a4b1425ca973a6d8c0f32f6de6844719c6e9813e8d949ab65263642dea01c800a00285bd45595bed4d8

Download Submit
C:\Users\Admin\Downloads\.exe
Filesize
4.6MB

MD5
b090c5b0e299c22ef6db97dd47c4cb93

SHA1
1576c0199d53126e7f7b005aabfe8555467984d6

SHA256
76c7b3fd30179dcc07d3b97624d7d0a7e360992c9c56a9519d3df59406ac466b

SHA512
825ba4ebd07d33e2bbee7b029d2397c0bb426e07446d2e9487d51089c6464ac1b794fae29fbc7f9662ab7c34de72c2a95ed5543170624ad84a43a3de7ae1a6d6

Download Submit
C:\Users\Admin\Downloads\Baixaki_Free Fire para PC_v2.420.27.867.2.exe:Zone.Identifier
Filesize
67B

MD5
90b4f32289be85d2be4ccd06db7761e5

SHA1
80d68153a67d5f490c7f2b336fc8daa4ed93a3ea

SHA256
a876496da2edb917cf769c21e8c1e0d57ad9d9bc478a80fe6365f716ab2b1e37

SHA512
af7c1208ec48f500b665ff4f5f279d6c596ba6acf7cc80e691ff1fd8508ee6f82074d14d0c72f4cbe45bf9e89d1ca7f81a5d711515621fb1fa7206d6ce0724cd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 186305.crdownload
Filesize
1.3MB

MD5
21bd357545f207c0cdccfd0bbf77de08

SHA1
85669fba2b5222efddf2c5f08a83f11745420dd6

SHA256
f4cabb0638c44b174b4b203d8c03344629bf3ea5bc3b4ed346222187e8d77fa7

SHA512
def2fc67e80231a4fabff71d538b5aca75e94c6173837553a3174adb78bb7d8bf29ea5600a5fdf6484419bf6b1fab0e541dfa8d0b2ab733936d571bc857a873a

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
22KB

MD5
23f7814355b2d2119d674baa26aecde5

SHA1
3043d9eb0b226a3be42b312f77ae264d9271e1c7

SHA256
17ca19fb9ce6602831d1dbb28220c73e4996083888af79f3f3e12813e8036785

SHA512
491e88ec51987049d9ef202b619df03a2c54705ff725921587934c44b88ae7a8f991ca441ec0042169a274c332a458eae63050eaf252572e5f814e7086c202ba

Download Submit
\??\pipe\LOCAL\crashpad_3680_GDULOCWUBWIPWZFD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-467-0x000000001C6E0000-0x000000001C6F2000-memory.dmp

Filesize
72KB

Download
memory/224-469-0x000000001C7C0000-0x000000001C7F2000-memory.dmp

Filesize
200KB

Download
memory/224-487-0x000000001BEA0000-0x000000001C053000-memory.dmp

Filesize
1.7MB

Download
memory/224-476-0x000000001BEA0000-0x000000001C053000-memory.dmp

Filesize
1.7MB

Download
memory/224-471-0x000000001C7A0000-0x000000001C7BA000-memory.dmp

Filesize
104KB

Download
memory/224-470-0x000000001C780000-0x000000001C79E000-memory.dmp

Filesize
120KB

Download
memory/224-463-0x0000000000FF0000-0x0000000001142000-memory.dmp

Filesize
1.3MB

Download
memory/224-464-0x000000001C880000-0x000000001CDA8000-memory.dmp

Filesize
5.2MB

Download
memory/224-465-0x000000001C710000-0x000000001C760000-memory.dmp

Filesize
320KB

Download
memory/224-466-0x000000001CDB0000-0x000000001CE62000-memory.dmp

Filesize
712KB

Download
memory/224-468-0x000000001C760000-0x000000001C780000-memory.dmp

Filesize
128KB

Download
memory/1128-1208-0x0000000005AF0000-0x0000000005E47000-memory.dmp

Filesize
3.3MB

Download
memory/1128-1212-0x000000006E920000-0x000000006E96C000-memory.dmp

Filesize
304KB

Download
memory/2500-1192-0x0000000006B10000-0x0000000006B2E000-memory.dmp

Filesize
120KB

Download
memory/2500-1179-0x0000000006090000-0x00000000063E7000-memory.dmp

Filesize
3.3MB

Download
memory/2500-1182-0x00000000074F0000-0x0000000007524000-memory.dmp

Filesize
208KB

Download
memory/2500-1199-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

Filesize
56KB

Download
memory/2500-1183-0x000000006E920000-0x000000006E96C000-memory.dmp

Filesize
304KB

Download
memory/2500-1200-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/2500-1198-0x0000000007A70000-0x0000000007A81000-memory.dmp

Filesize
68KB

Download
memory/2500-1197-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/2500-1196-0x00000000078E0000-0x00000000078EA000-memory.dmp

Filesize
40KB

Download
memory/2500-1181-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/2500-1180-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/2500-1193-0x0000000007730000-0x00000000077D4000-memory.dmp

Filesize
656KB

Download
memory/2500-1168-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/2500-1169-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/2500-1170-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/2500-1167-0x0000000005A60000-0x000000000608A000-memory.dmp

Filesize
6.2MB

Download
memory/2500-1166-0x0000000002D10000-0x0000000002D46000-memory.dmp

Filesize
216KB

Download
memory/2500-1195-0x0000000007860000-0x000000000787A000-memory.dmp

Filesize
104KB

Download
memory/2500-1194-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/2804-1231-0x000000006E920000-0x000000006E96C000-memory.dmp

Filesize
304KB

Download
memory/2804-1222-0x0000000005480000-0x00000000057D7000-memory.dmp

Filesize
3.3MB

Download
memory/3124-1349-0x0000000036960000-0x0000000036970000-memory.dmp

Filesize
64KB

Download