45d46345af6910f24d308c0240abbbb2c18d912aa82e323606de9ce215c7d8bb

Analysis

max time kernel
152s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerLauncher.exe
Size

2.0MB
MD5

db6c5ba8ebfac25ef90a93f576a1828a
SHA1

d5423517d97f40f9f53ae7eea08507c1a8d1574a
SHA256

45d46345af6910f24d308c0240abbbb2c18d912aa82e323606de9ce215c7d8bb
SHA512

c3adf173cd183ca8e687aca1e3d21ed6d306dc47cfc0a1173d6a6212314754bd11b3030d0b16ae0dd1f312f140ef8ebf5e4fa5bfa1dd42365197d9656beea13a
SSDEEP

49152:dFSDltZFia18KhM/04OSFTUeaho3mfTjFMwPMQ3dSWzTrb6O:wqa1RhM/04OXTbb

Score

8^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	RobloxStudioLauncherBeta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Executes dropped EXE 15 IoCs

pid	Process
3272	RobloxStudioLauncherBeta.exe
3172	RobloxStudioLauncherBeta.exe
1496	MicrosoftEdgeWebview2Setup.exe
2152	MicrosoftEdgeUpdate.exe
6140	MicrosoftEdgeUpdate.exe
6092	MicrosoftEdgeUpdate.exe
1156	MicrosoftEdgeUpdateComRegisterShell64.exe
3588	MicrosoftEdgeUpdateComRegisterShell64.exe
4508	MicrosoftEdgeUpdateComRegisterShell64.exe
3436	MicrosoftEdgeUpdate.exe
4664	MicrosoftEdgeUpdate.exe
2340	MicrosoftEdgeUpdate.exe
4336	MicrosoftEdgeUpdate.exe
1008	MicrosoftEdge_X64_112.0.1722.39.exe
3948	setup.exe

Loads dropped DLL 15 IoCs

pid	Process
2152	MicrosoftEdgeUpdate.exe
6140	MicrosoftEdgeUpdate.exe
6092	MicrosoftEdgeUpdate.exe
1156	MicrosoftEdgeUpdateComRegisterShell64.exe
6092	MicrosoftEdgeUpdate.exe
3588	MicrosoftEdgeUpdateComRegisterShell64.exe
6092	MicrosoftEdgeUpdate.exe
4508	MicrosoftEdgeUpdateComRegisterShell64.exe
6092	MicrosoftEdgeUpdate.exe
3436	MicrosoftEdgeUpdate.exe
4664	MicrosoftEdgeUpdate.exe
2340	MicrosoftEdgeUpdate.exe
2340	MicrosoftEdgeUpdate.exe
4664	MicrosoftEdgeUpdate.exe
4336	MicrosoftEdgeUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxStudioLauncherBeta.exe

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\AnimationEditor\Button_Dopesheet_Lightmode.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\ui\PlayerList\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\ApolloClientTesting\ZenObservable.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\RecordPlayback\RecordPlayback\LuauModuleSerializer\LuauSerializer\isValidLuauIdentifier.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TenFootUiShell\TenFootUiGlobalNav.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\StudioSharedUI\pending-dark.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\AppTempCommon\LuaApp\Reducers\.robloxrc	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.4.2\LuauPolyfill\console\.robloxrc	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\scripts\CoreScripts\Modules\DevConsole\Reducers\MemoryData.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\LuaChatDeps\UIBlox.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\LuaSocialLibrariesDeps\NetworkingSquads.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\TestEZJestAdapter\JestReporters.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\AudioDiscovery\icon.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\scripts\CoreScripts\Modules\Settings\Pages\ReportAbuseMenu.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\RequestPipeline\Expect.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\GameSettings\DottedBorder_Square.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\Analytics\Navigation\EventNames.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\FriendsLandingContext\Context.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\MicrosoftEdgeUpdateBroker.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\StudioToolbox\AssetPreview\play_button.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\ReactRoblox-a406e214-4230f473\LuauPolyfill.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Control\HorizontalNav\ArrowNav.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\ImageSet\ImageAtlas\img_set_3x_14.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\TestHelpers\init.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\scripts\CoreScripts\Modules\EmotesMenu\EmotesMenuMaster.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\scripts\CoreScripts\Modules\PublishAssetPrompt\init.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\Merge\Merge\typedefs-mergers\type.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactUtils\Dev\TestUtils.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialChatToast\SocialChatToast\ToastModel.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\AssetImport\btn_light_resetcam_28x28.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-201ca530-56b79d20\ExperienceChat\installReducer\BubbleChat\ChatSettings.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-3.2.1\RobloxShared\nodeUtils.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\avatar\meshes\rightleg.mesh	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-201ca530-56b79d20\ExperienceChat\ChatInput\UI\ChatInputBar\ChannelChip.spec.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\jsutils\printPathArray.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\textures\ui\InGameMenu\TouchControls\touch_action_move_2.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\Shared-07417f27-17.0.1-rc.17\Shared\console.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\DeveloperInspector\Filter.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\MaterialManager\Favorites.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\ui\Chat\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\AppTempCommon\Temp\httpRequest.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\DeveloperInspector\Record.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\GameSettings\CenterPlus.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\studio_svg_textures\Shared\WidgetIcons\Dark\Large\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\SharedUtils\SharedUtils\Error\try.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\Qml\QtGraphicalEffects\private\DropShadowBase.qml	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\RoduxAliases-4b477b13-e5753ce1\lock.toml	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\studio_svg_textures\Lua\AssetManager\Dark\Large\Import.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\MaterialGenerator\Materials\Brick.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\DiffSequences-edcba0e9-3.2.1\DiffSequences\init.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-201ca530-56b79d20\ExperienceChat\BubbleChat\BillboardGui\init.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsExtensions-d86ebb2a-ca453478\lock.toml	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\ReactRoblox-a406e214-4230f473\ReactRoblox\client\ReactRobloxHostConfig.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\DeveloperFramework\AssetPreview\Flag.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Packages\_Index\HttpRequest\HttpRequest\RequestFunctions\Util\getPostBody.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\Analytics.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\DeveloperFramework\MediaPlayerControls\pause_button.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\particles\sparkles_main.dds	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\ui\Controls\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\textures\ui\InGameMenu\ScrollTop.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\scripts\CoreScripts\Modules\DevConsole\Reducers\DataStoresData.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\ExtraContent\scripts\CoreScripts\Modules\PublishAssetPrompt\Components\PublishAssetPromptApp.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\content\studio_svg_textures\Shared\DraggerTools\Light\Large\Rotate_P.png	RobloxStudioLauncherBeta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	RobloxStudioLauncherBeta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\RobloxStudioBeta.exe = "11001"	RobloxStudioLauncherBeta.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\PROGID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ELEVATION	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
816	RobloxPlayerLauncher.exe
816	RobloxPlayerLauncher.exe
3272	RobloxStudioLauncherBeta.exe
3272	RobloxStudioLauncherBeta.exe
2152	MicrosoftEdgeUpdate.exe
2152	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	firefox.exe
Token: SeDebugPrivilege	2376	firefox.exe
Token: SeDebugPrivilege	2152	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 368 wrote to memory of 2376	368	firefox.exe	87
PID 816 wrote to memory of 4364	816	RobloxPlayerLauncher.exe	88
PID 816 wrote to memory of 4364	816	RobloxPlayerLauncher.exe	88
PID 816 wrote to memory of 4364	816	RobloxPlayerLauncher.exe	88
PID 2376 wrote to memory of 1900	2376	firefox.exe	89
PID 2376 wrote to memory of 1900	2376	firefox.exe	89
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90
PID 2376 wrote to memory of 4996	2376	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.0.1225507599\2053393049" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dfd15c2-de38-4a45-bce6-324804330f51} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 1916 1b29f4c9858 gpu
    3⤵
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.1.375648311\615325382" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2108 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4383640d-5640-4f9c-9561-337c3cd9ee21} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 2056 1b292572258 socket
    3⤵
    - Checks processor information in registry
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.2.1186051461\51307306" -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3260 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f2b1a28-6c44-41ac-886a-d899e2fd4284} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 3276 1b29f465758 tab
    3⤵
    PID:4508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.3.877558402\219641600" -childID 2 -isForBrowser -prefsHandle 2476 -prefMapHandle 2360 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f02ba607-41dc-426d-af89-4724343efe3a} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 3472 1b2a1d7e758 tab
    3⤵
    PID:3984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.4.1273532007\1954776386" -childID 3 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06c6e1df-ac35-4a0c-8ef0-608d09036eac} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 3992 1b292562b58 tab
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.6.991605862\252968687" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4996 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa1772aa-5b71-4cc1-ade0-643ba9a2d210} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5008 1b2a5a97d58 tab
    3⤵
    PID:972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.5.1926859645\986313352" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4992 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc73536d-6d82-4db4-93e1-599d5c88d74d} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 4984 1b29252db58 tab
    3⤵
    PID:1576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.7.389330546\89155587" -childID 6 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18185e1c-d25f-4af2-9367-017dc8b6ed8e} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5344 1b2a5a99b58 tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.8.14645296\880047188" -childID 7 -isForBrowser -prefsHandle 5656 -prefMapHandle 5628 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {973aae4d-5481-4554-b889-639084b1cd1b} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5648 1b2a1f88958 tab
    3⤵
    PID:4872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.9.1039554341\590604666" -childID 8 -isForBrowser -prefsHandle 5828 -prefMapHandle 3608 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08905502-7577-4cb2-a711-8877fa2a8afb} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5860 1b2a3f51a58 tab
    3⤵
    PID:6080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.10.1680232644\173824522" -parentBuildID 20221007134813 -prefsHandle 6032 -prefMapHandle 6028 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {060e3a61-5d28-40df-af9d-0d3fa44cabac} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5980 1b2a7292d58 rdd
    3⤵
    PID:5164

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=333ca2e0e398475715c9f5d4356bdefc4c246d95 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7bc,0x7c0,0x7c4,0x6b4,0x6d4,0x100d584,0x100d594,0x100d5a4
  2⤵
  PID:4364

C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
"C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe" -ide
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:3272
- C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=333ca2e0e398475715c9f5d4356bdefc4c246d95 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=0 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x70c,0x710,0x714,0x6ac,0x734,0x13ad4cc,0x13ad4dc,0x13ad4ec
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
  MicrosoftEdgeWebview2Setup.exe /silent /install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1496
- - C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Sets file execution options in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:6140
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:6092
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1156
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3588
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4508
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUZBQzExNUUtMTE2Mi00MDAxLUE5RUYtMzYwQTlENDhGQUJEfSIgdXNlcmlkPSJ7QTkwQjMyRDYtMTM4Ri00OUY1LThGRUMtREM1MkJFNzBGRkIzfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0M0Y1NjJGQi0yMUZDLTQ2OUUtQTZGQi0zMjRGQTBFMzZBQ0F9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzMuNDUiIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTYyOTQ4ODAxIiBpbnN0YWxsX3RpbWVfbXM9IjE0NTQiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      PID:3436
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{5FAC115E-1162-4001-A9EF-360A9D48FABD}" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4664

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:2340
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUZBQzExNUUtMTE2Mi00MDAxLUE5RUYtMzYwQTlENDhGQUJEfSIgdXNlcmlkPSJ7QTkwQjMyRDYtMTM4Ri00OUY1LThGRUMtREM1MkJFNzBGRkIzfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxQTM0QkVEQi1BODhFLTREMjUtOEY4MS1FMzcyNTAzOEFCMEF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIzIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTcyNDk4MzU4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:4336
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{633C6101-5DD8-4A29-BE24-3B8826FB2181}\MicrosoftEdge_X64_112.0.1722.39.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{633C6101-5DD8-4A29-BE24-3B8826FB2181}\MicrosoftEdge_X64_112.0.1722.39.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:1008
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{633C6101-5DD8-4A29-BE24-3B8826FB2181}\EDGEMITMP_0C593.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{633C6101-5DD8-4A29-BE24-3B8826FB2181}\EDGEMITMP_0C593.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{633C6101-5DD8-4A29-BE24-3B8826FB2181}\MicrosoftEdge_X64_112.0.1722.39.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\112.0.1722.39\MicrosoftEdge_X64_112.0.1722.39.exe

Filesize
136.2MB

MD5
7ff64ed6d6d9f41c903fb77f47a3af31

SHA1
2bf440025fca3c51e74d0a73713d01aa5b6b6dd5

SHA256
81c166b377d862e29353fc72eb2a2683269b970e29ef3156b02f47af27d3c415

SHA512
846aee6c4090efc9a97e6ffcbc50a0a76d1c594c47d49dbe669f6cfb9ed7021641307e1e02372e4125f9cc3284260ab6db2dc10364097d5e2c311a376d869225

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
7a160c6016922713345454265807f08d

SHA1
e36ee184edd449252eb2dfd3016d5b0d2edad3c6

SHA256
35a14bd84e74dd6d8e2683470243fb1bb9071178d9283b12ebbfb405c8cd4aa9

SHA512
c0f1d5c8455cf14f2088ede062967d6dfa7c39ca2ac9636b10ed46dfbea143f64106a4f03c285e89dd8cf4405612f1eef25a8ec4f15294ca3350053891fc3d7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
60dba9b06b56e58f5aea1a4149c743d2

SHA1
a7e456acf64dd99ca30259cf45b88cf2515a69b3

SHA256
4d01f5531f93ab2af9e92c4f998a145c94f36688c3793845d528c8675697e112

SHA512
e98088a368d4c4468e325a1d62bee49661f597e5c1cd1fe2dabad3911b8ac07e1cc4909e7324cb4ab39f30fa32a34807685fcfba767f88884ef84ca69a0049e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
c044dcfa4d518df8fc9d4a161d49cece

SHA1
91bd4e933b22c010454fd6d3e3b042ab6e8b2149

SHA256
9f79fe09f57002ca07ae0b2a196e8cc002d2be6d5540ee857217e99b33fa4bb2

SHA512
f26b89085aa22ac62a28610689e81b4dfe3c38a9015ec56dfeaff02fdb6fa64e784b86a961509b52ad968400faa1ef0487f29f07a41e37239fe4c3262a11ac2c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdate.dll

Filesize
2.0MB

MD5
965b3af7886e7bf6584488658c050ca2

SHA1
72daabdde7cd500c483d0eeecb1bd19708f8e4a5

SHA256
d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19

SHA512
1c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdate.dll

Filesize
2.0MB

MD5
965b3af7886e7bf6584488658c050ca2

SHA1
72daabdde7cd500c483d0eeecb1bd19708f8e4a5

SHA256
d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19

SHA512
1c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
567aec2d42d02675eb515bbd852be7db

SHA1
66079ae8ac619ff34e3ddb5fb0823b1790ba7b37

SHA256
a881788359b2a7d90ac70a76c45938fb337c2064487dcb8be00b9c311d10c24c

SHA512
3a7414e95c2927d5496f29814556d731aef19efa531fb58988079287669dfc033f3e04c8740697571df76bfecfe3b75659511783ce34682d2a2ea704dfa115b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
f6c1324070b6c4e2a8f8921652bfbdfa

SHA1
988e6190f26e4ca8f7ea3caabb366cf1edcdcbbf

SHA256
986b0654a8b5f7b23478463ff051bffe1e9bbdeb48744e4aa1bd3d89a7520717

SHA512
63092cf13e8a19966181df695eb021b0a9993afe8f98b1309973ea999fdf4cd9b6ffd609968d4aa0b2cde41e872688a283fd922d8b22cb5ad06339fe18221100

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
570efe7aa117a1f98c7a682f8112cb6d

SHA1
536e7c49e24e9aa068a021a8f258e3e4e69fa64f

SHA256
e2cc8017bc24e73048c7ee68d3787ed63c3898eec61299a9ca1bab8aeaa8da01

SHA512
5e963dd55a5739a1da19cec7277dc3d07afdb682330998fd8c33a1b5949942019521967d8b5af0752a7a8e2cf536faa7e62982501170319558ceaa21ed657ae8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
a8d3210e34bf6f63a35590245c16bc1b

SHA1
f337f2cbec05b7e20ca676d7c2b1a8d5ae8bf693

SHA256
3b82de846ad028544013383e3c9fb570d2a09abf2c854e8a4d641bd7fc3b3766

SHA512
6e47ffe8f7c2532e7854dcae3cbd4e6533f0238815cb6af5ea85087c51017ea284542b988f07692d0297ebab1bad80d7613bf424ff532e10b01c8e528ab1043a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
7937c407ebe21170daf0975779f1aa49

SHA1
4c2a40e76209abd2492dfaaf65ef24de72291346

SHA256
5ab96e4e6e065dbce3b643c6be2c668f5570984ead1a8b3578bbd2056fbad4e9

SHA512
8670746941660e6573732077f5ed1b630f94a825cf4ac9dbe5018772eaac1c48216334757a2aeaa561034b4d907162a370b8f0bae83b34a09457fafe165fb5d7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
8375b1b756b2a74a12def575351e6bbd

SHA1
802ec096425dc1cab723d4cf2fd1a868315d3727

SHA256
a12df15afac4eb2695626d7a8a2888bdf54c8db671043b0677180f746d8ad105

SHA512
aec4bb94fde884db79a629abcff27fd8afb7f229d055514f51fa570fb47a85f8dfc9a54a8f69607d2bcaf82fae1ec7ffab0b246795a77a589be11fad51b24d19

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
a94cf5e8b1708a43393263a33e739edd

SHA1
1068868bdc271a52aaae6f749028ed3170b09cce

SHA256
5b01fe11016610d5606f815281c970c86025732fc597b99c031a018626cd9f3c

SHA512
920f7fed1b720afdb569aec2961bd827a6fc54b4598c0704f65da781d142b1707e5106a459f0c289e0f476b054d93c0b733806af036b68f46377dde0541af2e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
7dc58c4e27eaf84ae9984cff2cc16235

SHA1
3f53499ddc487658932a8c2bcf562ba32afd3bda

SHA256
e32f77ed3067d7735d10f80e5a0aa0c50c993b59b82dc834f2583c314e28fa98

SHA512
bdec1300cf83ea06dfd351fe1252b850fecea08f9ef9cb1207fce40ce30742348db953107ade6cdb0612af2e774345faf03a8a6476f2f26735eb89153b4256dc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
e338dccaa43962697db9f67e0265a3fc

SHA1
4c6c327efc12d21c4299df7b97bf2c45840e0d83

SHA256
99b1b7e25fbc2c64489c0607cef0ae5ff720ab529e11093ed9860d953adeba04

SHA512
e0c15b166892433ef31ddf6b086680c55e1a515bed89d51edbdf526fcac71fb4e8cb2fadc739ac75ae5c2d9819fc985ca873b0e9e2a2925f82e0a456210898f9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
2929e8d496d95739f207b9f59b13f925

SHA1
7c1c574194d9e31ca91e2a21a5c671e5e95c734c

SHA256
2726c48a468f8f6debc2d9a6a0706b640b2852c885e603e6b2dec638756160df

SHA512
ea459305d3c3fa7a546194f649722b76072f31e75d59da149c57ff05f4af8f38a809066054df809303937bbca917e67441da2f0e1ea37b50007c25ae99429957

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
39551d8d284c108a17dc5f74a7084bb5

SHA1
6e43fc5cec4b4b0d44f3b45253c5e0b032e8e884

SHA256
8dbd55ed532073874f4fe006ef456e31642317145bd18ddc30f681ce9e0c8e07

SHA512
6fa5013a9ce62deca9fa90a98849401b6e164bbad8bef00a8a8b228427520dd584e28cba19c71e2c658692390fe29be28f0398cb6c0f9324c56290bb245d06d2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
16c84ad1222284f40968a851f541d6bb

SHA1
bc26d50e15ccaed6a5fbe801943117269b3b8e6b

SHA256
e0f0026ddcbeafc6c991da6ba7c52927d050f928dba4a7153552efcea893a35b

SHA512
d3018619469ed25d84713bd6b6515c9a27528810765ed41741ac92caf0a3f72345c465a5bda825041df69e1264aada322b62e10c7ed20b3d1bcde82c7e146b7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
34d991980016595b803d212dc356d765

SHA1
e3a35df6488c3463c2a7adf89029e1dd8308f816

SHA256
252b6f9bf5a9cb59ad1c072e289cc9695c0040b363d4bfbcc9618a12df77d18e

SHA512
8a6cbcf812af37e3ead789fbec6cba9c4e1829dbeea6200f0abbdae15efd1eda38c3a2576e819d95ed2df0aafd2370480daa24a3fe6aeb8081a936d5e1f8d8ed

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_da.dll

Filesize
28KB

MD5
d34380d302b16eab40d5b63cfb4ed0fe

SHA1
1d3047119e353a55dc215666f2b7b69f0ede775b

SHA256
fd98159338d1f3b03814af31440d37d15ab183c1a230e6261fbb90e402f85d5f

SHA512
45ce58f4343755e392037a9c6fc301ad9392e280a72b9d4b6d328866fe26877b2988c39e05c4e7f1d5b046c0864714b897d35285e222fd668f0d71b7b10e6538

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_de.dll

Filesize
30KB

MD5
aab01f0d7bdc51b190f27ce58701c1da

SHA1
1a21aabab0875651efd974100a81cda52c462997

SHA256
061a7cdaff9867ddb0bd3de2c0760d6919d8d2ca7c7f889ec2d32265d7e7a75c

SHA512
5edbda45205b61ac48ea6e874411bb1031989001539650de6e424528f72ec8071bd709c037c956450bb0558ee37d026c26fdb966efceb990ed1219f135b09e6e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_el.dll

Filesize
30KB

MD5
ac275b6e825c3bd87d96b52eac36c0f6

SHA1
29e537d81f5d997285b62cd2efea088c3284d18f

SHA256
223d2db0bc2cc82bda04a0a2cd2b7f6cb589e2fa5c0471a2d5eb04d2ffcfcfa0

SHA512
bba581412c4297c4daf245550a2656cdc2923f77158b171e0eacf6e933c174eac84580864813cf6d75d73d1a58e0caf46170aee3cee9d84dc468379252b16679

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
d749e093f263244d276b6ffcf4ef4b42

SHA1
69f024c769632cdbb019943552bac5281d4cbe05

SHA256
fd90699e7f29b6028a2e8e6f3ae82d26cdc6942bd39c4f07b221d87c5dbbfe1e

SHA512
48d51b006ce0cd903154fa03d17e76591db739c4bfb64243725d21d4aa17db57a852077be00b9a51815d09664d18f9e6ad61d9bc41b3d013ed24aaec8f477ad9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
4a1e3cf488e998ef4d22ac25ccc520a5

SHA1
dc568a6e3c9465474ef0d761581c733b3371b1cd

SHA256
9afbbe2a591250b80499f0bf02715f02dbcd5a80088e129b1f670f1a3167a011

SHA512
ce3bffb6568ff2ef83ef7c89fd668f6b5972f1484ce3fbd5597dcac0eaec851d5705ed17a5280dd08cd9812d6faec58a5561217b897c9209566545db2f3e1245

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
28fefc59008ef0325682a0611f8dba70

SHA1
f528803c731c11d8d92c5660cb4125c26bb75265

SHA256
55a69ce2d6fc4109d16172ba6d9edb59dbadbc8af6746cc71dc4045aa549022d

SHA512
2ec71244303beac7d5ce0905001fe5b0fb996ad1d1c35e63eecd4d9b87751f0633a281554b3f0aa02ee44b8ceaad85a671ef6c34589055797912324e48cc23ed

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_es.dll

Filesize
28KB

MD5
9db7f66f9dc417ebba021bc45af5d34b

SHA1
6815318b05019f521d65f6046cf340ad88e40971

SHA256
e652159a75cbab76217ecbb4340020f277175838b316b32cf71e18d83da4a819

SHA512
943d8fc0d308c5ccd5ab068fc10e799b92465a22841ce700c636e7ae1c12995d99c0a93ab85c1ae27fefce869eabadbeafee0f2f5f010ad3b35fa4f748b54952

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
b78cba3088ecdc571412955742ea560b

SHA1
bc04cf9014cec5b9f240235b5ff0f29dbdb22926

SHA256
f0a4cfd96c85f2d98a3c9ecfadd41c0c139fdb20470c8004f4c112dd3d69e085

SHA512
04c8ab8e62017df63e411a49fb6218c341672f348cb9950b1f0d2b2a48016036f395b4568da70989f038e8e28efea65ddd284dfd490e93b6731d9e3e0e0813cf

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_eu.dll

Filesize
28KB

MD5
a7e1f4f482522a647311735699bec186

SHA1
3b4b4b6e6a5e0c1981c62b6b33a0ca78f82b7bbd

SHA256
e5615c838a71b533b26d308509954907bcc0eb4032cdbaa3db621eede5e6bfa4

SHA512
22131600bbac8d9c2dab358e244ec85315a1aaebfc0fb62aaa1493c418c8832c3a6fbf24a6f8cf4704fdc4bc10a66c88839a719116b4a3d85264b7ad93c54d57

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_fa.dll

Filesize
27KB

MD5
cbe3454843ce2f36201460e316af1404

SHA1
0883394c28cb60be8276cb690496318fcabea424

SHA256
c66c4024847d353e9985eb9b2f060b2d84f12cc77fb6479df5ffc55dbda97e59

SHA512
f39e660f3bfab288871d3ec40135c16d31c6eb1a84136e065b54ff306f6f8016a788c713d4d8e46ad62e459f9073d2307a6ed650919b2dd00577bbfd04e5bd73

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
d45f2d476ed78fa3e30f16e11c1c61ea

SHA1
8c8c5d5f77cd8764c4ca0c389daee89e658dfd5e

SHA256
acf42b90190110ccf30bcfb2626dd999a14e42a72a3983928cba98d44f0a72e2

SHA512
2a876e0313a03e75b837d43e9c5bb10fcec385fbb0638faa984ee4bb68b485b04d14c59cd4ed561aaa7f746975e459954e276e73fc3f5f4605ae7f333ce85f1b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
7c66526dc65de144f3444556c3dba7b8

SHA1
6721a1f45ac779e82eecc9a584bcf4bcee365940

SHA256
e622823096fc656f63d5a7bbdf3744745ef389c92ec1b804d3b874578e18c89d

SHA512
dbc803c593ae0b18fd989fdc5e9e6aee8f16b893ae8d17e9d88436e2cd8cae23d06e32e4c8a8bf67fc5311b6f2a184c4e6795fed6d15b3d766ef5affc8923e2f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
b534e068001e8729faf212ad3c0da16c

SHA1
999fa33c5ea856d305cc359c18ea8e994a83f7a9

SHA256
445051ef15c6c872bed6d904169793837e41029a8578eaf81d78a4641ef53511

SHA512
e937d2e0f43ade3f4a5e9cdeb6dd8c8ad8b5b50a7b6b779bda727a4fe1ced93abd06720395cc69a274ce3b0f7c6b65e1eba1ecf069db64edb80d007fbb4eedbb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
64c47a66830992f0bdfd05036a290498

SHA1
88b1b8faa511ee9f4a0e944a0289db48a8680640

SHA256
a9b72fcb3bdb5e021b8d23b2de0caeca80ddc50420088b988a5b7503f2d7c961

SHA512
426546310c12aeb80d56e6b40973a5f4dffef72e14d1ac79e3f267e4df2a0022b89e08bba8ab2ffa24f90b0c035a009bed3066201e30fe961d84ed854e48f9c5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_ga.dll

Filesize
28KB

MD5
3b8a5301c4cf21b439953c97bd3c441c

SHA1
8a7b48bb3d75279de5f5eb88b5a83437c9a2014a

SHA256
abc9822ee193c9a98a21202648a48ecd69b0cb19ff31c9bbf0c79dab5f9609b0

SHA512
068166cfdf879caf4e54fe43c5265a692fcaf6a9dcbf151335fd054bbec06260bc5ed489de6d46ca3fc0044bc61fa1468fea85373c6c66349620618ee869383a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
c90f33303c5bd706776e90c12aefabee

SHA1
1965550fe34b68ea37a24c8708eef1a0d561fb11

SHA256
e3acc61d06942408369c85365ac0d731c5f3c9bc26e3f1e3bb24226d0879ad9c

SHA512
b0c1a9d7df57d68e5daf527703f0b6154a2ef72af1a3933bda2804408f6684b5b09b822522193243fd0756f80f13d3ab0647c90d2bed1a57b4a9fea933b0aa9a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_gl.dll

Filesize
28KB

MD5
84a1cea9a31be831155aa1e12518e446

SHA1
670f4edd4dc8df97af8925f56241375757afb3da

SHA256
e4eb716f1041160fd323b0f229b88851e153025d5d79f49b7d6ecb7eb2442c57

SHA512
5f1318119102fcee1c828565737ce914493ff86e2a18a94f5ff2b6b394d584ace75c37258d589cce1d5afd8e37d617168a7d7372cfd68dd6a2afcd4577a0bc51

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_gu.dll

Filesize
28KB

MD5
f9646357cf6ce93d7ba9cfb3fa362928

SHA1
a072cc350ea8ea6d8a01af335691057132b04025

SHA256
838ccd8243caa1a5d9e72eb1179ac8ae59d2acb453ed86be01e0722a8e917150

SHA512
654c4a5200f20411c56c59dbb30a63bfe2da27781c081e2049b31f0371a31d679e3c9378c7eb9cf0fb9166a3f0fba33a58c3268193119b06f91bebe164a82528

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26DC.tmp\msedgeupdateres_hi.dll

Filesize
28KB

MD5
34cbaeb5ec7984362a3dabe5c14a08ec

SHA1
d88ec7ac1997b7355e81226444ec4740b69670d7

SHA256
024c5eae16e45abe2237c2a5d868563550ac596f1f7d777e25234c17d9461dd9

SHA512
008c8443a3e93c4643a9e8735a1c59c24ba2f7a789606a86da54c921c34cbc0cb11c88594544d8509a8e71b6a287c043b1ffe2d39b90af53b4cde3847d891ba8

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
43107992d0d5c53d8b19aa3be458fb9f

SHA1
6d6848343e1bcad509e3646adb1bb3a0b7b1cd92

SHA256
86b0268c819e7a76c69c65fee4d39188140e83b722d098f93585b14716b42e15

SHA512
3e0b63aea1abb55bd698542e5b25fc90e8f69476881b926f3f1ac0947b0ede5ec4073e3f5c52ba70c5ddcf7acbd098d6acd0eb58d783a8428ffc854a40a81fbe

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
43107992d0d5c53d8b19aa3be458fb9f

SHA1
6d6848343e1bcad509e3646adb1bb3a0b7b1cd92

SHA256
86b0268c819e7a76c69c65fee4d39188140e83b722d098f93585b14716b42e15

SHA512
3e0b63aea1abb55bd698542e5b25fc90e8f69476881b926f3f1ac0947b0ede5ec4073e3f5c52ba70c5ddcf7acbd098d6acd0eb58d783a8428ffc854a40a81fbe

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
43107992d0d5c53d8b19aa3be458fb9f

SHA1
6d6848343e1bcad509e3646adb1bb3a0b7b1cd92

SHA256
86b0268c819e7a76c69c65fee4d39188140e83b722d098f93585b14716b42e15

SHA512
3e0b63aea1abb55bd698542e5b25fc90e8f69476881b926f3f1ac0947b0ede5ec4073e3f5c52ba70c5ddcf7acbd098d6acd0eb58d783a8428ffc854a40a81fbe

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
43107992d0d5c53d8b19aa3be458fb9f

SHA1
6d6848343e1bcad509e3646adb1bb3a0b7b1cd92

SHA256
86b0268c819e7a76c69c65fee4d39188140e83b722d098f93585b14716b42e15

SHA512
3e0b63aea1abb55bd698542e5b25fc90e8f69476881b926f3f1ac0947b0ede5ec4073e3f5c52ba70c5ddcf7acbd098d6acd0eb58d783a8428ffc854a40a81fbe

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-35a78caea5ee4581\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
610b1b60dc8729bad759c92f82ee2804

SHA1
9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

SHA256
921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

SHA512
0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
151KB

MD5
9033edb68e52f68caa035348b1dc2450

SHA1
359da60aa2f77b436752b01dd82d30baa5e8270b

SHA256
aca17844408d7ea9619f738450a46ba46de3078978ddb3faa665b7d8ba35721c

SHA512
77731b6423c8eb75f0bc7b4a4941deaaaa7279fc5d34dafeb0a032cb003f370395a2bd7b596b83fe4ee0f623eef91b8a353fd46a0d26477823765bfab1134754

Download Submit
C:\ProgramData\Roblox\Downloads\5e7700d3ec78bb49c634f169eae8f8d8

Filesize
437KB

MD5
5e7700d3ec78bb49c634f169eae8f8d8

SHA1
3c365980a3c48c750ca15ed089d26db72be13139

SHA256
25bd8902880562be98a230896bb09d5c0c03f6cb6bc37e3bb017b57f75ec94fc

SHA512
a4d3c1a61155453ffb2798ffa708c7c25862870ff54801fc14053b9a00c9f0c22d844a1ad954f7e1c15c14ab65149e00dbb590fce8a55479d23718dc698f0560

Download Submit
C:\ProgramData\Roblox\Downloads\e413ee764e71986b1628c7067cc9f5b9

Filesize
44KB

MD5
e413ee764e71986b1628c7067cc9f5b9

SHA1
5f2d5b7435ce8ae62e7436a4f1eece7bdba8b4d2

SHA256
40c87038c45fb465ab095ec4c09b34d0545d8cd1f830896cdd3737d6bedf5400

SHA512
95ee6526875c94d8ebb28a9c19645f6360342038c17046ffc49b55063cb9907bd43382c5394fb879e831dd1dc2eb239886417d4f548b16cfd8ddd79fa99035ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
2KB

MD5
81ca63a40f2fe36da84e7afd0f041b58

SHA1
020427225a9a074bdb30b3a9cf8c4cfc82e218e4

SHA256
0a64c0debcf7ebf65ee37a7a5bf8b1fd5426dea673d713bf69ac7d729461394d

SHA512
988fa02d533bfac297bfce2e6597ab9139fc323bf6a78fbd57007fe20335db087f31b29ab7901a6161d3c6e1f779aafda1a9564ba8cd145e1f56e11307e266fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
d5cad80a08e263cf20717106064021a0

SHA1
7e0d5dd995208ff9cc048a341a4448e1aa79776f

SHA256
0d2fc7b48ca069a6a5313a65067cd272a42794643f36f8d1593aa025ce09e72f

SHA512
70dcacb868c5f62204bf806d3d529c63c6f66c40d2152d3a3c4324edecfb11414b51700c9bb8b5a13054a7d1044d8ba739065bf9f9f157eb2416805192f6c2a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_8188B0251A6967A35A03878927DFE701

Filesize
472B

MD5
cd555665145e903e203af025eb1963a9

SHA1
3f7f187b326e555bb58d0022722dca35b7793ac2

SHA256
ac762404a40f8956b1deff4bd9df48f142455e10c09d313bbc7d2b19bccfb601

SHA512
da1097a553aeb3e38025236ba9a66f8caeb3a0648f77f37038a47c8b4d3e5259e12f438da8036cdd4b4846820477eee8f92260273e653122afd98b812d67569c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
f568c03259a003758875155901cf0e6a

SHA1
bac1805db675256b0b6a0be08da6dcfb68fdeaa2

SHA256
d629106136587bdb11db5b28773bc51ade283785c45200bd84243a457df8a88a

SHA512
dd388d73e17f20fe1db08d806e110c1e30f6faa04dd12cdeb134d0021e1ccb4a64975f2afea4abb8b6a402e75b1954946f7588ab90d85764ab0a0b0f67a05fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
b2eddbcdfc89b6e3ddd637795c4f3b07

SHA1
57a8176e7b587490722a040a2b9aaf238b936d6f

SHA256
43ca54e6d0b93e7c4791e7d252e796706458773e7974257464d0f377b4f86b37

SHA512
7e74032d68cf5d5f67870d2d24fca305790f5f9e4d490b1ea5ef9dd3e83b9595241d0ee7ed19f6bab114954ec6faebc6a594b4dbf4cadd5a7cb4df61950b86b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
83be5d3fe066ba9787604b7a34c56c0a

SHA1
ea0ae4136a84813531aad88dde500f940a437598

SHA256
c033b0462c75016c556c2c3d5dd33bce23c5e63dde351b15606ac69ada331f87

SHA512
c459a27dfd2713aa86d3f0875fd6ec18361e80270a67b4082e9606d2dfa204f64fcacf5f620cd659ba179eb448952f3d97e9304beef17778f80f78ef869b7e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
488B

MD5
a539d7b0e165d7a8191d34c4816989c9

SHA1
cb016f521606dd6e5ef0c52372284334fe6640db

SHA256
5f3d537f856fc5c0033c4d1472bcc7344bc154d2bd3ad216a78e92388b700900

SHA512
8e4f5488ecc3cab3d0b19571e06f8edf41b1e2abc113ce7dd7c8fbfa0bdfbc29761fc0dd2456776d98424fb2c5a2bc50969f45b5c31fc0cfb743ceadd3babba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
d6e6ef0055ef6cfcc7250e4de2748dde

SHA1
b8a5f108a3fb1078cd7274d67cb6cc4d76c9fe62

SHA256
98277d5c579ca13eb888dcd769057c9e978d9d1ae2de62157f5c97f05b02c018

SHA512
76bd0737c9a4ed2714b889d61a24666449a8cfbef7cd87d6f6f1c8d62eafb35033a9297843f556a2d3ec910d71aa64badc229417b893ad7d1c2192d7f8275ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_8188B0251A6967A35A03878927DFE701

Filesize
496B

MD5
63c1b4660567d66396b2fd8f99f51aba

SHA1
aad93e6e34809c27287bf880e86e98a58da242bb

SHA256
b323c3f7660f943a796e817694a87a98badf7476be3ab7d2058a6a122d0a721c

SHA512
1a6ae48aaace7971d424ca3d2a21f01557bc133abc7bacb45cf53c88c9b3e0d4e259667eca31219472cae67192fbaece5eca29d3eb7b39ce50ef851781874f26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
6a32d12b1a3693451f145d47a504195b

SHA1
e0cbd69b10db70240cdda65420a253703ae37f28

SHA256
883a42aa5d6eccb0a5ef72ebf858a0ac4977f7975265d831a6abd4effc05fd0a

SHA512
1e40b3cbbf767096a60cf4929b7064617b9c85856db81521fd43d76f0b3f95f20de3b21ffdd04451c2456495e76b1d1fb338fadc58ca60bcbf9af66aafb569bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
f1f8ded10f6493a5aed1951f737b414f

SHA1
1a3008bdb12fd09ccfc19ddc3fec86e04be1bf42

SHA256
c6df97b6ffbf8f0ddea667687a9972d51dac27a4827f771b712eb57723d82daf

SHA512
bdc8f5a6a40d4a9cf506acb901bf94dc54178bae4d59ebff32b4aea0bca1edfb96bf8ab58023c2169ddf1f916a5089f3b0f06568bafc797635953c4ee9ce35d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
f7707313928a7c96f41c8f8e9934afe6

SHA1
344f03ffc16bbc4d63a48d9a5061fd3e4d05c678

SHA256
788d800b49b88d77719d4db4f4f70922ea61acc203b92f6f5d383052d34501b8

SHA512
b475010ab71c2230b19a1673177ebe27202cf9a56072ff565910bd6df4228cb4a91f5f89aaa7ce3fcff3e9543df31a5eb8237b6adc82bdda87d25259e3a095d2

Download Submit
C:\Users\Admin\AppData\LocalLow\rbxcsettings.rbx

Filesize
47B

MD5
818b469a34fd6bf9ff2c4fa463410a55

SHA1
a17b0b2d23416236a71c40cb20293c0977d40573

SHA256
2e81ad6e973d1b9c66e30393effcbe0302e15b54f183e149c1047799e88e0b1e

SHA512
d5151e6a612eb5fd5ff6683d594f8fb1886d7c32cd20248a094f4f99c0743ba83d46619cc8aa6381a2ef28bccda4c87da878f6d131a52b71a2d370ba907428a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\BatchIncrement[1].json

Filesize
163B

MD5
bedbf7d7d69748886e9b48f45c75fbbe

SHA1
aa0789d89bfbd44ca1bffe83851af95b6afb012c

SHA256
b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

SHA512
7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\PCClientBootstrapper[1].json

Filesize
2KB

MD5
3b7c2357acb948da94e2c6d0d32ec79b

SHA1
ce53693f0589f014937809f5047a604a96ae944c

SHA256
d52f5dacf73f3eee01465b1145212e33e4cff63d0b07ab6ce6af6d8f6fdcd77a

SHA512
87987a940ec99331a92c679cef60d04f1242c35bb937e92a689fd4380dd049f69642107b7604eaea3cec08935a9b627f9027e82b8027f42064eede454ee3931c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\PCStudioBootstrapper[1].json

Filesize
2KB

MD5
02a70e30ba993ae7c9edbad7b0f6dae9

SHA1
a90891638459b2a4a81e655253165f766734cb47

SHA256
652f84d524eca0eb19fec6b1f64b45549f904f21d9dfe3c816f035cd1f19ce14

SHA512
68be4cc55147f63c3d5fa5147256e78ccd3001ff1b477d0a93be5fd0220a0eee45ca225347c5a76987471285949362b0727ad468736a6a51c2bae370d4a66433

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
143KB

MD5
ee961f7b40ca630defe3e7a6e5f6a1e6

SHA1
c6a8fd00a65f14309bf3cca9399620a7749b548b

SHA256
78493e6b09e7af13fef68b0605eaca194f56c9708f6a508b51ecccc6f72918a0

SHA512
c0a1036aff94428cdcde1cd8e0451ea1445cd083e18f04b4629e837b4b64e28ba79af5f37d2a1ee259522a36b9f05aed4669426fff53734d08bd8a6b77a5fe86

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
cc7e66cad614fb70b0590c6305066fb8

SHA1
8fdecc00fab787a3f6a322c14d669784f8762119

SHA256
ec9bb266a3673f0a70622577c00a9dbe88a81d859d27b9fc41c8a83846e73bf6

SHA512
bd4057c74ee2d171383b7540df0ba127851fd5394c0c747f6268b8ad26a9a3fea767d8cad990e9eff21f58b87d22b258a1f5835a52cd7493b5c1a78e69b4c0c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
43565946190d8ae29cf7f497a676a5af

SHA1
a7f78ce3966c74c3aeff0b2ed5fca4025249a8e9

SHA256
f914e587c92ed21f895566a506cffe87d646d463bb151b892af0395aa1d7c9ba

SHA512
4da5ccaa1bff9973e1f3caa392d713e09f3fa77e306cd80710cb0eac2eac0bcd625bac4ba3c8bb42f53d470010c449923a55f6e524cb5cb04584260084483bb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
f8e327a31c61455837d57f7cc3b90411

SHA1
b779021a0a61ba43794ff07e821de5b3d2849c08

SHA256
665b727c76ad0277e94271f519fcfe47976951d26290bbe22ee79aa5ba6aa195

SHA512
8550b5b3ca5ca69cccc2102e11f0072df0adeb9a04eb00aafaab8c24cacbd5fd1999f2ffa54e1c74bb6c7b92f8a56bc9accb4a6ea78ec736c730c873b8716119

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
29648d10f2df4cb1c98162aadb714586

SHA1
67c2bc967323d0359e72cbbf83f03b16c35676e8

SHA256
6a291d8ec116e17638356b449be4978919617a3494df7f87b79862cecad1af46

SHA512
3e6a2580254b30273507f42d5ece41a6fb05a0485d7a95bd290ef9f5408001f228d005a89b398e1ac631b84efc54bde0696910a6d0b800e3f90febf64fd1a589

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
7KB

MD5
3855c85314cbed0e56f66b53b60837bb

SHA1
4748fdca9bcabaf270eb7f915c317abdf1ba98ab

SHA256
b2fd99137d3ac9e12b4d2b76426c75d53f487ef7151b11e6190ee31b8b1bf407

SHA512
136b311f3175c7210732121075e726d01bfb8b8d71ce03fa49c0461c52ce8dae85bc93dcee0de136da69976646de0231bedc4ed1fd431fa0c2bb235830061227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3666ee0cf55838b0b5adb4695de9c040

SHA1
64a9967675e7a6145a4c9d090be62d49fbde6985

SHA256
1755269ddf3a28a91516a9cb4d3360af0651bd39051dcf9df3aadc3f2b1ffed1

SHA512
e1f08cafb9d08e1df7f131cfed49d7d9ba91505f998ad25d21c48a68906070527458b512e753a897055368f88fa21d9b4eabd346a8453b0887ec29662b1d3479

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
1cacbe1dea1f952fef5851fafa5cdac5

SHA1
fda68a298fddfc6d3aa1bf55cfecd8d4b9cfa116

SHA256
5f5e26a2099ae8522d03792a879a6fded90c17575eb8afddf7ca9dd22ce1971c

SHA512
459ce57ba997de0a37143911883c9ec8dc0d805ef36312448564b11f7cae52e7534744f0a1be9c8822f9ad0d0423e3ba4b3b5f1f685468b8e218b08221c7158c

Download Submit