hxxps://mega[.]nz/file/9B1TzBAK#HGJcdNo-REwDfQ4-MM2FUDTviaQyXqXNfuYjIpbokB4

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/9B1TzBAK#HGJcdNo-REwDfQ4-MM2FUDTviaQyXqXNfuYjIpbokB4

Score

8^/10

evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	RobloxStudioLauncherBeta.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	RobloxStudioLauncherBeta.exe
2084	RobloxStudioLauncherBeta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxStudioLauncherBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\LoadingScreen\BackgroundLight.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\AvatarCompatibilityPreviewer\Light\Large\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\EnumMember.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\AvatarCompatibilityPreviewer\add.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\StudioToolbox\Animation.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\TerrainEditor\Light\Large\Air.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Menu\hamburger3D.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\VoiceChat\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\AlignTool\button_center_24.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\DeveloperFramework\Dark\Large\Close.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\AvatarEditorImages\DarkPixel.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\Variable.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\BallSocketConstraint.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Emotes\Small\SegmentedCircle.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\TerrainTools\button_arrow_down.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\AvatarEditorImages\Stretch\bar-full-mid.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\StudioSharedUI\RoundedRightBackground.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\StudioToolbox\Voting\thumbs-up-dark-gray.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\avatar\unification\testScripts\R6TestScript2.lua	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\ChatInputBarConfiguration.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\AvatarEditorImages\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\MaterialGenerator\Materials\CrackedLava.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\TerrainTools\mt_regions.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Controls\DesignSystem\Thumbstick1Horizontal.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\FaceControls.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\fonts\PermanentMarker-Regular.ttf	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Controls\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Controls\XboxController\ButtonB.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\PlayerList\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\PurchasePrompt\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\Terrain\Dark\Large\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\Terrain\Dark\Large\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\Actor.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\ScreenshotHud\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\avatar\defaultPants.rbxm	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\UISizeConstraint.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\TerrainTools\mtrl_brick.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\AlignTool\Light\Large\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\TextureViewer\refresh_dark_theme.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Settings\Radial\TopRightSelected.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\Notifications\Dark\Large\PlayDisabledFilledNegative.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\Localization\Light\Large\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Shared\Debugger\Light\Standard\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\ui\Settings\Slider\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\fonts\Sarpanch-Regular.ttf	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\avatar\heads\headM.mesh	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\Cursors\KeyboardMouse\ArrowCursor.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\RoduxDevtools\Undo.png	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\studio_svg_textures\Lua\Terrain\Dark\Large\[email protected]	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\avatar\compositing\CompositRightLegBase.mesh	RobloxStudioLauncherBeta.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-addde8fab87841a4\content\textures\TagEditor\VisibilityOnLightTheme.png	RobloxStudioLauncherBeta.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	RobloxStudioLauncherBeta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\RobloxStudioBeta.exe = "11001"	RobloxStudioLauncherBeta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2132103209-3755304320-2959162027-1000\{35B954E4-1075-40EF-ADA5-7CF21745D676}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 830571.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3216	vlc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
2132	msedge.exe
2132	msedge.exe
1964	identity_helper.exe
1964	identity_helper.exe
1276	msedge.exe
1276	msedge.exe
4764	msedge.exe
4764	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
1608	msedge.exe
1608	msedge.exe
2256	RobloxStudioLauncherBeta.exe
2256	RobloxStudioLauncherBeta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3216	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4176	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe
3216	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3216	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4996	2132	msedge.exe	69
PID 2132 wrote to memory of 4996	2132	msedge.exe	69
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3972	2132	msedge.exe	88
PID 2132 wrote to memory of 3964	2132	msedge.exe	87
PID 2132 wrote to memory of 3964	2132	msedge.exe	87
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89
PID 2132 wrote to memory of 2620	2132	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/9B1TzBAK#HGJcdNo-REwDfQ4-MM2FUDTviaQyXqXNfuYjIpbokB4
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd83346f8,0x7ffbd8334708,0x7ffbd8334718
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3828 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,14334227175355237521,782921289521442036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Users\Admin\Downloads\RobloxStudioLauncherBeta.exe
  "C:\Users\Admin\Downloads\RobloxStudioLauncherBeta.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- - C:\Users\Admin\Downloads\RobloxStudioLauncherBeta.exe
    C:\Users\Admin\Downloads\RobloxStudioLauncherBeta.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=c6e1610f3bc2604e4e4d304c4149b49dfd8ff6ff --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=0 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7a4,0x7a8,0x7ac,0x7a0,0x6e4,0x1b525c0,0x1b525d0,0x1b525e0
    3⤵
    - Executes dropped EXE
    PID:2084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x25c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UninstallReset.mp2v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
2KB

MD5
b8a3e9155f3cce26002fc47b27aadf2d

SHA1
606c275b884fddf4aa5507ea4045ccc8c3749583

SHA256
922d6d2e6f88db3e1c365462302dd6509f95d48a0e28f4c59f496ee82aacf869

SHA512
050539f8a49b35db31ae5c7cf7166953b2ba5364b5973a10f4323482daa92f74a6850a09032542f0be4b34b97b97cf6d78d3da55c42fdfa9da4ed80cbb6c3a50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_2033B9334DC92599122A3B9136FA3F05

Filesize
472B

MD5
3f5a73692308b0e73a83c333d7a927e7

SHA1
85e71b462c1951dc18f2026fdeb9811ac4b57bd6

SHA256
7faf042f1546d1c489c6a72f5a63f638735ec44c2e28ab5d109d1aae265e6ec8

SHA512
ae3a00335f87956f0adeccc5cded6223a5a609703216428e0cfc0a03fd5dc67786fd9a57a7fac5a9f99f5b3571d6b0330b5e9a3d79946a7f1ee010c186a0bd59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
2cdea405e4dbe5d0b8c7c223ac2a1f22

SHA1
472f0034c25080e74a3f62d34ba93f55e6222d3d

SHA256
457e0ebb2cdfbe5ce12b9c9679e522883ca7eba355deca0be73985c4bebb7f26

SHA512
22bd06c93921b389c24cea239025063e77946d4a63bfa3e5b551a1386782dcd961a97db8393044cc95895bd84d3fb180a145ff8f2f3c77ee4f9978d35591e2ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
488B

MD5
6eb6a0c073a51d1aed106f5aebef5557

SHA1
83629518fa827f5cda98f51510e16560a00ea5b1

SHA256
13671607b662fafae3df12a86c84fe49c048488b7d6326a04519356dad74e854

SHA512
260a2c8b2fb69168e0f4d4b63c5d3f7cfe9283a379f2e3bf2e0f6fc1c40ff507286af814a115465d989d70b3db98cd40e9908236272f5fa9cfa993dc316da67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_2033B9334DC92599122A3B9136FA3F05

Filesize
492B

MD5
fa8b3765ebd6e3f07b6158c61b82fca5

SHA1
e82394cf78807e08e746599de3cdff898931b9e8

SHA256
3fbd080ca181b31921665363ebbb2473c177bfff33b264d5c3e37d09de89ce3f

SHA512
4f09c3bbc311d0fba25efa67416532ec0c169333b1ba23b90b4916a874c33dbf82ac81e321645db937b46ddcfa9e6024eeee7199ab252de43f80b03be2db5c02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
c4d1003cd0370009969af6c90c72db31

SHA1
39c3784e764f0fb1e56503c56a4a955b7c0cde24

SHA256
18cf0e2686959a0b7450b08c10147c99dbeda1ad4e6620cbd6a7445b3ca6d437

SHA512
7a1e8d54100c2f0d4fb2d61ccccce56e562cfbbd8626d280cd2c510a82fb80fe6cb03792fbae7950bd97e402befbc1e49f58c978fb192fa3fb6da1554431898b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f7f8c02d1aadb5d9701f0269c6e27e66

SHA1
b452a2b2214521139bccceb65a9b41b314fee2cc

SHA256
3bd72ff67e607a26b8f9bead4d7b0ecd19cba570c39ce4f82702c22f1a19d040

SHA512
d00a6bf4b10d97a4f938648568ba305c30c66e6a68e19cc70382afa6c1ff0d96613d760693b3e055331c0ed6afc4b74c2208475f4d225b1dbc2740f478f04ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
184e8d6bf331617250cd33b775765927

SHA1
5f318b75673e92d3f01e7c46f88c81d4a167f359

SHA256
4f0d95aa8fd14ddf96f26704b177ffb76b0a5d0ed81401ea764bdeca08ea93b8

SHA512
311798feacd41d4f415675ad1cefb37cc075a13c52f1d47932ac05fb081578abc43ff300f4c78b90ff08d9739d8836e99fdfac7a75245098671dceb314671b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
e08735d8d04f386ff229cfdd8a901096

SHA1
e90c5ea41031dec6fee120cc3dff12883d030394

SHA256
dc42a69331760dd72e43c530f6bfe4baeaf1e8ac68edd7e6ac80d131afe9c0d0

SHA512
a1459dfe83ad0ce30a3c50bd9de00e56a57f66b6b96eda248288d5de02cb0bc5c22797e0a33188bfc09a66a0695e6b3c57ba5f0d743abf2c6e5a4b66bfd75386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1528408762b8b27768c8465583426c7c

SHA1
b4a73ae4f6734d4c1d4eb4fcf9008bf0ba5a5ffc

SHA256
1c08904a699fee547ed366c2fe46f45d594c24dc3731f1c11be1fe32e6d93277

SHA512
99603c22958ecdef3402f88c5626c126f679df4373413a139b9a7522b5ce47f479a98435ba66e7a3da9f10052edd865a96220d5c6850d32588f8ed9455a757f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c828988ba0c37b04343a7715014b967

SHA1
06ca8378cafc003630d02e92587a0cbfb9b57049

SHA256
fce6459d1d71172f0defe3a121da074ee73a331902fc79e46941d77a37f075aa

SHA512
62992414c7d6b0ebd6c13ef80d772e339509e1c71e11b764cdd8d31c0bc0728cafe248108ead0a1598b26811b2432a6a9276682d381338eb2c51f52805b0f823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a440beb7cb5de0771f83af56b5285f15

SHA1
93c55cc1b12808904944e2cab1a6291edf22eb08

SHA256
d9410140bfaaaf732a786034904832c6f89a0c9fc3c228bb638e7dd838bb9a78

SHA512
88fcbee63a696e761487215551d7747570bc69415e7fc1099fd9538d67943f659dd5587e330f025fa0b5f759f182aba162fe547e549963cd7d188b95aa3ab0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a7e1be32fe99762f9badceb85a569a13

SHA1
1a4e2a29f12f7cc789db7e609406401f2eea3175

SHA256
534a6faa069540d4a5d17bf5a15e87d4f6a65fa614d0912f04cfc69f53638583

SHA512
0ae198951a1d35869f0190bd248d2cb745c46380f1a8f288a2c5f7aa5af7abb39b780e087ea20024bc8d28a415ceb73c3c9ee8d6782393bf501db93e486d114b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
74966aa16ba4ed0000015aa66e3bd4fb

SHA1
679156540c17aac37f21db3a12ff86b419d1559b

SHA256
db0d6cd3913e46f954720279943a5848320fbc4d50791a0aef5675a6c3c28db7

SHA512
8cbd127b29e7f3064368cdc528248f76206be23bb5be819fdb32ad9abb61a1db9407e1e195d373d10b58688d8e0aeaf5a91d6e2719de1fadcbefc5e013e093f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7147c0147a3c5c52c128522dd9dd839f

SHA1
a33d6e9dcbee3c14876260378505bee1138999fe

SHA256
1bc1ae3cb5ae6fde891321b8d76e93f44664738e8c11223f7b8e431d3bb8e746

SHA512
c7491b1b89c7c029874660ff136868572d655bb90cd327c37be69fd45e8c3b33e0d7e549cbabe89f2616a6af720db4bf74245b35f9e594fd7c207b4a9f723e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
872310ad16d1d99c992c40ae9af08a16

SHA1
9cc3c335ce07db3b2619a747229a769d11c161fc

SHA256
0851f00cd559b86a538686fae226f68a24b7098329702b11365bab0f75f91238

SHA512
d4476a7398578172de449fc0915699d2bdabd25a9ac607a444fd92dd3f9e9dcb372bf05146a9ab44a295ff826d6bbf7b9e4a66602cef42b2e42597c5813ecacd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a8874a44977e1af00efab17644f81029

SHA1
ba7f7da21b6f16de5312f8d8f39b16632b1125ed

SHA256
287c30cfff46174c2bb423d6683a9f970c3cf6a412295a1146ba4966f2aa4bd3

SHA512
fee35f83ba538d7140bee25c2901c7021d8b53dfee61ed7d53193074352c3aaa9cdb445d5bc4b4951ea260114fd3e991aee30b6918e1275526ab0cebe522dbc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579e53.TMP

Filesize
48B

MD5
5614121a7d395bb2e0fdef5e7b67b936

SHA1
c7a2a2744a9c67c5aecb6e29a204002c41e7df09

SHA256
a6bb5c27ec3e7b7b700f33c3704375d2106dc1d7828ed42f9202525f55f5e595

SHA512
5635c35825df53e4e234053485a4ecdc2f031cbdbf6461ee4f7c2af970baed80f4302c472f4f84eb095742b4183dfcf7aaee97411aff97eaacdeda079bd8682d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
6b90fa60c6181f87894bf9cc34d5d8e6

SHA1
7126e34e7ab2bb44cc808f2aee1fc9cf6bfbaec9

SHA256
18af8e385eed9c701df0e62f8944a17de2a8572b9e8ec22be153b4c12b4928aa

SHA512
5c66a1bb4889f1149b316bc89d6021524a97a62c9f22046c3c3a4c8eb7d48b1d2d681f4961fce89a9a375f2ae87da05d18af7cc7e0e134ffcdf9e35f3374f007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bba798525b89deac689b206af670a7b7

SHA1
4fb6009a2e108817e665f897ea743102f28ca16c

SHA256
80b2b94e6e7514b52dd927bff90ba7b01481d0540aa4d72a8f48923b900bbc6a

SHA512
b92320936e63d7d6569982ac0b315e3358f386118431f6d6c79288227e83cd31f046fab927e4eafd255c16b85d7e112bf226aadbd4973eeaf6e6d7cfc61daec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
803d51475b4307f3cf9aae9de0ab4632

SHA1
6c4ab55c31053581bf8024cb55971687e18f2c79

SHA256
1324b9fe033ae4c4485271e48ce0ba6837825e885d9299cedc260fbc51a5abe5

SHA512
752717a2b375296a2d23d15d81564d2c53116992336055e68a68e5eeebd8542420ce162269d660a44be1ac728709c49dcbb409f5aa128a0a5a4ec022265588f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588f79.TMP

Filesize
203B

MD5
03713a65741d02b7d24cb11bf076fc56

SHA1
0664d232f9c7fb583b988b397eb72812d4c19ecf

SHA256
974a01873142ba9b880c36a88bbf02997f86c193afde70eadb63d4db84a42ae0

SHA512
e97e8bf7cc7fc3469f0f27c0dd918ceec6908577af3cbcd1168d4b3e0ed37b6b892443f7c74a6d0b85ce0f19f870dd0142b93d448ed8e3003b4d3661bfd9381b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c4ba21ca-eabd-4c94-882d-140703a718ac.tmp

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a303d280f45404ea4473bd76888ea01

SHA1
d51411fb633743fce5d77fc2d55f8d89a7709612

SHA256
04a488ec40a53cd3a32cc32c519a0a31fcecc2a148f6d2c6889dc44022b48ee5

SHA512
06afef2caf67d82cb658d3e589f53b7bb532e321161a261d965582e23d3961d38089554e584bb9e0cf70154df93fe30e4231414319ca6932be36f7fb3d106fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1d4029904fbb60f24780fb1d77e7f92b

SHA1
3e3c8a395a61e1dd2ad8672c6e533f417875f0c5

SHA256
3b625e6d3fee28214e1e218b3f088e7d6d97b0f48f4cae33c319a475f549809e

SHA512
5a56c8ebf84e4efd1161d2136d560736e0bd2bd6292a53827bc64aac04033b63d0eb05fa55abcf4713b2f3e8ecf7eb9d7a57584e5080a14a1a99eeebf4b07d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ed1b52f4bace71b14957bfc158902d2f

SHA1
cbca459f54580f01b0b5d1f528ad13463062964c

SHA256
8d7ec0bd1111b1bc3d2e57aa83eaf38bcedbddc1741d14c0a9b45dabd3acb0e8

SHA512
bb9742fc898dda4ce1dfbc770d30b9fc6c214b5d47877f4a022ff657804ec11607fe34676bcb344c52c7d0bc29c0bd2cd29ae70d5019e7b048c877e50860cd08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ARC7ZUJB\PCStudioBootstrapper[1].json

Filesize
4KB

MD5
2c7c35a883404ddbe05101d19a48ed84

SHA1
42a394d1fb8137633d3aff3fc8bda7b7c9c5a9ad

SHA256
1da9354b9615fb2b9e794863b5ce07e04863793e0365c5585591fe07e383bf5f

SHA512
9432264ce093548aa71babebd4ddf9b4b183cfffb14b3f10d3ced0fccef7a93b991119b55fa973bed6933d0469cbfa48ada5e4ecaacce17b3411f242b4fae39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AYZZE35H\BatchIncrement[1].json

Filesize
163B

MD5
bedbf7d7d69748886e9b48f45c75fbbe

SHA1
aa0789d89bfbd44ca1bffe83851af95b6afb012c

SHA256
b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

SHA512
7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 830571.crdownload

Filesize
4.9MB

MD5
43710250f806d2f27a0a1e9cabc085bf

SHA1
20ce6a4c1e551c8fa51fff3a5ebf34face162d2e

SHA256
969b49fbb9e655d1449bba951ac5e5452a247f36bb41d6a9c2ddb192a30b84ce

SHA512
c95bd50df4f60e78fdfd951f331a81a935c86ec8a0e9940f2ef73b9b405ab55fa0b7395c5b8fde9fbee7790a7009c42e19ad05c84121c60e9dc722569f93f7e0

Download Submit
memory/3216-655-0x00007FFBC4150000-0x00007FFBC4262000-memory.dmp

Filesize
1.1MB

Download
memory/3216-651-0x00007FFBC4940000-0x00007FFBC59EB000-memory.dmp

Filesize
16.7MB

Download
memory/3216-650-0x00007FFBC6E40000-0x00007FFBC70F4000-memory.dmp

Filesize
2.7MB

Download
memory/3216-649-0x00007FFBD7FC0000-0x00007FFBD7FF4000-memory.dmp

Filesize
208KB

Download
memory/3216-648-0x00007FF723410000-0x00007FF723508000-memory.dmp

Filesize
992KB

Download