Resubmissions
23/02/2024, 11:54
240223-n2w51sfh88 8Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 11:54
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation OLD ROBLOX INSTALLER.exe Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation OLD ROBLOX INSTALLER.exe Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation RobloxPlayerLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation RobloxPlayerLauncher.exe -
Executes dropped EXE 22 IoCs
pid Process 1412 OLD ROBLOX INSTALLER.exe 732 OLD ROBLOX INSTALLER.exe 3744 OLD ROBLOX INSTALLER.exe 4188 OLD ROBLOX INSTALLER.exe 3656 RobloxPlayerLauncher.exe 4252 RobloxPlayerLauncher.exe 3044 RobloxPlayerLauncher.exe 5280 RobloxPlayerLauncher.exe 5224 MicrosoftEdgeWebview2Setup.exe 5660 MicrosoftEdgeUpdate.exe 3140 MicrosoftEdgeUpdate.exe 5656 MicrosoftEdgeUpdate.exe 5632 MicrosoftEdgeUpdateComRegisterShell64.exe 5844 MicrosoftEdgeUpdateComRegisterShell64.exe 4604 MicrosoftEdgeUpdateComRegisterShell64.exe 5928 MicrosoftEdgeUpdate.exe 2076 MicrosoftEdgeUpdate.exe 5996 MicrosoftEdgeUpdate.exe 6028 MicrosoftEdgeUpdate.exe 5208 MicrosoftEdge_X64_121.0.2277.128.exe 5148 setup.exe 5512 setup.exe -
Loads dropped DLL 15 IoCs
pid Process 5660 MicrosoftEdgeUpdate.exe 3140 MicrosoftEdgeUpdate.exe 5656 MicrosoftEdgeUpdate.exe 5632 MicrosoftEdgeUpdateComRegisterShell64.exe 5656 MicrosoftEdgeUpdate.exe 5844 MicrosoftEdgeUpdateComRegisterShell64.exe 5656 MicrosoftEdgeUpdate.exe 4604 MicrosoftEdgeUpdateComRegisterShell64.exe 5656 MicrosoftEdgeUpdate.exe 5928 MicrosoftEdgeUpdate.exe 2076 MicrosoftEdgeUpdate.exe 5996 MicrosoftEdgeUpdate.exe 5996 MicrosoftEdgeUpdate.exe 2076 MicrosoftEdgeUpdate.exe 6028 MicrosoftEdgeUpdate.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OLD ROBLOX INSTALLER.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OLD ROBLOX INSTALLER.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerLauncher.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerLauncher.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 10 drive.google.com -
Checks system information in the registry 2 TTPs 8 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\FaceControlsEditor\face_sideView.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\TerrainTools\icon_shape_cube.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\TopBar\HealthBarTV.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\LuaPackages\Packages\_Index\roblox_t\t\t.d.ts RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Trust Protection Lists\Sigma\LICENSE setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\VisualElements\SmallLogo.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msvcp140.dll setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\InGameMenu\ScrollMiddle.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\TerrainTools\mtrl_water_2022.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\DeveloperFramework\UIOn_light.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\WarningIcon.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\Settings\Help\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\MaterialGenerator\Materials\Marble.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\SelfView\SelfView_icon_indicator_off.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\DefaultController\ButtonA.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\PlayerList\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Settings\Players\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Settings\Radial\Top.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\TopBar\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\VoiceChat\MicLight\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\AppImageAtlas\img_set_1x_8.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\avatar\heads\headA.mesh RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\PlayStationController\PS4\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaChat\graphic\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\AnimationEditor\img_eventMarker_inner.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\RoactStudioWidgets\toggle_on_disable_dark.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\PlayerList\BlockedIcon.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\AppImageAtlas\img_set_2x_7.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaApp\icons\GameDetails\social\Discord_large.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaChat\9-slice\modal.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCDCB.tmp\msedgeupdateres_km.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\DeveloperFramework\PageNavigation\button_control_start.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaApp\graphic\shimmer_darkTheme.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaApp\icons\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaChat\9-slice\[email protected] RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\webview2_integration.dll setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\fonts\families\Kalam.json RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioToolbox\AssetConfig\plugin_temp.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Settings\MenuBarAssets\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaApp\icons\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\LayeredClothingEditor\Icon_AddMore_Light.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\PlayerList\NotificationOn.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Settings\MenuBarIcons\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaApp\graphic\gr-avatar-frame-36x36.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\CollisionGroupsEditor\delete.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\Cursors\DragDetector\HoverCursor.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Emotes\Small\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\ErrorPrompt\SecondaryButton.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\LegacyRbxGui\StoneBlockSide.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\AppImageAtlas\img_set_1x_3.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\ImageSet\LuaApp\img_set_3x_1.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaApp\ExternalSite\guilded.png RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\tr.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\configs\ReflectionLoggerConfig\EphemeralCounterWhitelistMock.json RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\AvatarEditorImages\Stretch\bar-full-mid.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\particles\fire_main.dds RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\TerrainTools\icon_regions_move.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\PlayStationController\[email protected] RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\vcruntime140.dll setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\PluginManagement\edit.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\TerrainEditor\select.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\PlatformContent\pc\textures\water\normal_06.dds RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-ingame.png RobloxPlayerLauncher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerLauncher.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerLauncher.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ProgID MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\ProgID\ = "MicrosoftEdgeUpdate.CoreClass.1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CLSID\ = "{8F09CD6C-5964-4573-82E3-EBFF7702865B}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ELEVATION MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ = "Microsoft Edge Update CredentialDialog" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32 MicrosoftEdgeUpdate.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 482451.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2984 msedge.exe 2984 msedge.exe 3288 msedge.exe 3288 msedge.exe 4820 identity_helper.exe 4820 identity_helper.exe 3048 msedge.exe 3048 msedge.exe 3656 RobloxPlayerLauncher.exe 3656 RobloxPlayerLauncher.exe 5660 MicrosoftEdgeUpdate.exe 5660 MicrosoftEdgeUpdate.exe 5572 msedge.exe 5572 msedge.exe 5572 msedge.exe 5572 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5660 MicrosoftEdgeUpdate.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3288 wrote to memory of 5012 3288 msedge.exe 49 PID 3288 wrote to memory of 5012 3288 msedge.exe 49 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2960 3288 msedge.exe 89 PID 3288 wrote to memory of 2984 3288 msedge.exe 88 PID 3288 wrote to memory of 2984 3288 msedge.exe 88 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90 PID 3288 wrote to memory of 2120 3288 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/147wBd9SNBhObfNefkk4Mcp7QJVFFYbGc/view?pli=11⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaeda446f8,0x7ffaeda44708,0x7ffaeda447182⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:22⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:82⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:12⤵PID:4300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:1420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:12⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6936 /prefetch:82⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:82⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe"C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1412 -
C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe"C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=de7347e1fb5c5730c209cc15c480e575fad25570 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x74c,0x750,0x754,0x660,0x75c,0x982bfc,0x982c0c,0x982c1c3⤵
- Executes dropped EXE
PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exe"C:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exeC:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=33db88719123bd6e70c8be814e9c3adf0810f627 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x52c,0x558,0x55c,0x524,0x578,0x17c86c0,0x17c86d0,0x17c86e04⤵
- Executes dropped EXE
PID:4252
-
-
C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeWebview2Setup.exe /silent /install4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5224 -
C:\Program Files (x86)\Microsoft\Temp\EUCDCB.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUCDCB.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"5⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5660 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3140
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5656 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5632
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5844
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4604
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUYyRTEwMDYtQzAyRS00RUUxLTg1MkEtNkJBOUIwQUMwMjIyfSIgdXNlcmlkPSJ7OTExNEVENTUtMzBFOC00NzRFLTlBMzEtRkFBRUI5NTI3NkM1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4NEE5QTI2Ri1CMjQ3LTQzRDctQkE4Qy01OTlGREREQjg4NzB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xODMuMjkiIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTcxNTY4ODU5IiBpbnN0YWxsX3RpbWVfbXM9IjY4MiIvPjwvYXBwPjwvcmVxdWVzdD46⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:5928
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{EF2E1006-C02E-4EE1-852A-6BA9B0AC0222}" /silent6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076
-
-
-
-
-
-
C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe"C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3744 -
C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe"C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=de7347e1fb5c5730c209cc15c480e575fad25570 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x50c,0x510,0x514,0x4e8,0x534,0x982bfc,0x982c0c,0x982c1c3⤵
- Executes dropped EXE
PID:4188
-
-
C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe"C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exeC:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=zflag --annotation=RobloxGitHash=33db88719123bd6e70c8be814e9c3adf0810f627 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=25 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x714,0x718,0x71c,0x69c,0x724,0xe586c0,0xe586d0,0xe586e04⤵
- Executes dropped EXE
PID:5280
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3140 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5572
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1072
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2460
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:5996 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUYyRTEwMDYtQzAyRS00RUUxLTg1MkEtNkJBOUIwQUMwMjIyfSIgdXNlcmlkPSJ7OTExNEVENTUtMzBFOC00NzRFLTlBMzEtRkFBRUI5NTI3NkM1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBODlDMTU5NS01MzFDLTQxNzItQjc1OS0zNEY0N0I3MTg4MkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTc2Mzc4NTI0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:6028
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\MicrosoftEdge_X64_121.0.2277.128.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:5208 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5148 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=121.0.2277.128 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7ccbd1d88,0x7ff7ccbd1d94,0x7ff7ccbd1da04⤵
- Executes dropped EXE
PID:5512
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD57a4813d6dba0b2abf7376d79e068afb9
SHA1a790f1518cb919875b603fc180e92f96c9e076f1
SHA256dec061040fb655f176211bc8a3fc3a0c6d096f23d35129804a98261f1534447e
SHA5126d93407376271abb5c902b6f508c33c83fa7e69fb192a61efa4d7a825b7abfdbfdf7b8a5f934857082a2976cd9cfcdfae1d76596aa4a2f1bebb3d712e6f6e4b4
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\121.0.2277.128\MicrosoftEdge_X64_121.0.2277.128.exe
Filesize25.3MB
MD5af8c38a67e793e7a7c6fd302021c012c
SHA190733455c8eaad784d11dad85728e45e730d475b
SHA2562f78c13997ee0e278b3461ac034beb462d2599b3f71ec828fc73db0857b3ceae
SHA51249f3b084f6c7967c73a0b312c20e785d6703e0c2f65e1fa8051868baf8e56964ac0c7ed85ea7345668d11366757b17d45201307012fa70f24ba13ffbf1eca46f
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
2.0MB
MD5965b3af7886e7bf6584488658c050ca2
SHA172daabdde7cd500c483d0eeecb1bd19708f8e4a5
SHA256d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19
SHA5121c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4
-
Filesize
4.9MB
MD5a502990d5df008eb385b5862f37c3a6c
SHA1e6c92247d2ec0a7e823910f096d72a661da19db8
SHA256b9a56ff86f4f6d7ca4c91aba67b55e8487dcd0c31ea75fb8664a4f28aa0411b1
SHA512ff99f05a31be147e15cbfc41d9d9f371749c61dac22c2e46d73a807376c2ef8254f87c83b0d385df8f6d6262a35d95a6ea9790dde10bbb4046ecd6ed1262cbc7
-
Filesize
4.6MB
MD5884f182558478768a43de12bbb5bd168
SHA1831ce37ca2289cf123733306077b936c9407319d
SHA256bb4fa744d72612edd395213bba74efe233464cc8707ec55aa85052b6211757b4
SHA512665e957a508547a673ec354ef8008e16058e7aa50f1520e0539940c99beb35b9375c9546efa3dab58ced01a80c95a68ed17c76350efde3472da625ea877043ff
-
C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
Filesize1.5MB
MD5610b1b60dc8729bad759c92f82ee2804
SHA19992b7ae7a9c4e17a0a6d58ffd91b14cbb576552
SHA256921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08
SHA5120614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4
-
Filesize
280B
MD5aba61180781adb538821fabc58e294c2
SHA12bafd7d101043bdaf5aaad412e865cf9d4cd70e9
SHA256ce2577b364e9a7fd2a9a6506a40e6fd59110084156f6164f87f6225f53d589ef
SHA512240aaf0e37982f25d4c8a9c6e708dd0cd17a61635dc0da31ae8799392117d4b30d6ee15af419664d9fedda24c6ed2887ecd2306f39f0ee70de51fa9ce1c9ca1a
-
Filesize
101KB
MD5c0cc710fe861352bbd925d8a030ed3a6
SHA11af5f84d55d294187283457f5ec45f78487b1dcb
SHA25680e6340a0111867c4f8d4b2eb1e90821bf27b6c98a38e38053709ac7232bf136
SHA5126ace26711b110555a660456d3cc844ffa14f873f66e9f6e97c2c1ebc352a9c181320bf1cd66fee338d2bbaf91f8c48d45ca14c3023fff7e02c5772de3cff7408
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize2KB
MD5b8a3e9155f3cce26002fc47b27aadf2d
SHA1606c275b884fddf4aa5507ea4045ccc8c3749583
SHA256922d6d2e6f88db3e1c365462302dd6509f95d48a0e28f4c59f496ee82aacf869
SHA512050539f8a49b35db31ae5c7cf7166953b2ba5364b5973a10f4323482daa92f74a6850a09032542f0be4b34b97b97cf6d78d3da55c42fdfa9da4ed80cbb6c3a50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_644C4AFE7F6A4CA604A4A98F3EDFB7E0
Filesize471B
MD56f7ff7cb27893eb27f0d9198f55d5442
SHA15dc0fa4feb0cbbb6eff1b1d237b5f40f5bdbb2c1
SHA2563f0611d2e39d9b2d178221ac742cd788836c3cb42b4ccee3b4cea929feca4b5d
SHA5124447a993720b9410891174033f8271cd3a7786d30b544f2ad9495db21bb873f1fe67e8c0bd699a445de049f6243f984a3fc9c568c9a48e5a21cc6f5eace51056
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_A8DA4A611FFDE9335F5D0BEF76AAFDD4
Filesize471B
MD5efd16ca1696b31fc8517a30dc6034c87
SHA1f62372c7059043d4b6fa45c4168d7c2e6d7c898d
SHA2567dba8dc8b2c7fd536330e57c5add08804b29f2664ee9a9cebe977ab4f8e2bb5b
SHA5121527a1e9cab55c03bf1d944a88289ec027b04e557ca9ab53151aab5ccd1a21c634178754440fe776c574a18be42a305de0f534e04edfe1aaab7a5fbf961c4b25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize1KB
MD5218c7d1455047696e539b1babb2b339d
SHA1b9cd7ce46b66ade9b0a5e2444396929dace1f568
SHA2562761ad10ac34aba20d29dbe8560f13e7144c04350464e8ac88144835b0396be3
SHA512d690abcfab2658c40df1abb4ba6cd1f867760d5711b83339f91e0d669a6024b51bd192bb05ba3ec909dddc49ead674bf2ad0cdbee4dc6bff3118b1e1589d672a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5d2880c8237a99b270a87683705222de4
SHA114e02e07f4939698ef26a56e4ee377636b5e23b5
SHA2568fa7d1a5d4706b3ac7fc8155a5cc2c92213e5d824416bd3f0e7c1851fded4e13
SHA51267bbd513520d2f8b0736b1dcaabb7a002aec0b0b706a03739fdcf57c45fbde844bca550c1043da9094ac6a7f9e86649d72c76a7b29ef90d36262e47c402baa34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD54f71907417c370d5ba51cb3d29eb3c6e
SHA1bae827085de5ca56b1c6a5ff34e7d22b4f6bce6c
SHA256f1af602061d0e5cacf66f52a79d807528b55a2219d6360f375bf4b51632bda0f
SHA512fb5c4f2e50ae34f533ded1e6433fe5a896c6a7a443d0b9eaf9df1078ccea16d6fe1510f5cbe9cd7c8a34e542ff8e11e5169868907d04b483eccd7bb331ffcdaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize2KB
MD55f269d75d2d9906614322fb028febc29
SHA1c47c12110437106d301c5547b3c4a075f953f16f
SHA256ff7fe1ff4947c8addec0fd1d65420e634ddaae6be3934b60f982c092140dbafa
SHA512b78fde9691610252537af73f49862684a750a2d50d6ac58b9dbdd6dc0858875d8b9971ccf6345c83e7550245dfd8a6a4b4aed7ecda85564b1c944493b5c70217
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize1KB
MD5ac0252a6c8673fa50bdf2961dd6bd471
SHA1d4a096f0d135df10b1c9cdbaed123f1f0377cb1c
SHA25619122c391d8cc9a95017536b2c46b10bc80c2ee932ae4bb99bc10ac87f6ae130
SHA512899ee2c274dfef70520a25b5ac744c55c3a513a68f327ab692c8584ddf8d69a51fa5191820d6bed84bbd2e2a1b61fdccccb85b9f3d3866ed4be70e48c6ca2ca0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize488B
MD5061a15446b9bfd6a48c125cf8fc2426a
SHA15df57ecc83f311cb4aec1fd8182455eb50487a87
SHA256576be89a169f8507853fd34c21da66faebc77ac0d51efc188724588f0040748b
SHA5124c80d71e9ef182a52cb20ba33118d62b258dc188628548857a1be8b7ce5c2c968ecf2d01a17545e4f47defdd1eec081f8ac6f7ec1f6744dc6975c76b72f765b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_644C4AFE7F6A4CA604A4A98F3EDFB7E0
Filesize488B
MD56fc7eee032434f64ba5a396520216b30
SHA10589eeac7925c38ca432713555382e8a1ac5c03e
SHA25618c18666046cf043f2db382b136a4fd7b6c8951e4f1a12f8eb36c2841959f8a6
SHA51298945ce826125ca58e40cb1828ed9dc3d173ee165190486983c9085fc682f55fa06f87853bd4d5b6282cf87d85c9fa91b1b197dd3edc03675b920b5556f3742a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_A8DA4A611FFDE9335F5D0BEF76AAFDD4
Filesize488B
MD5db4e0671badf6dbbfd65335862d34750
SHA10ff2e68b6c0521e0ff953e9e992bb9dbded7c13c
SHA25692c662fb7a8f17e6fd97f1611823a7691d71b584a4673044e1f620fbe4b524f7
SHA51293e9d5ec50cbc31cd39e96505b2cc27d30397b30b92259bf3db1d35d9566ed404c457327983f0870d8ddc833500d2fe394073329e74f564086df1627d6ac7a24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize434B
MD5155d8eb3a8facd41bd751763120fd15a
SHA1f99458ec9e5dd4c774883993490301509d7cafb2
SHA256b4d2a8a5592b2ee9b5d119e6a5f85d3822e50c55bd79c7948c158d58549918ef
SHA512389084f7534e21cf6723a0dffbd73a8b9dec096da05e968a812de741fc554769ba6176d256fdc7a89b4ecfb8e100fa30af9e47ef060e0013497021807b8c0ce5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize434B
MD59f15a3a0423335ce2448eec91541c46f
SHA1696f11346e7b57f92c91066eeee15603183db9e2
SHA256d940a47083de4df6cc154f77a7b05c256959f971e91f3fe23b3ae171a875a22c
SHA5126d8241d8fdd85a1d02ccbd672d6c68fb11a64181f99c1eff29c753ea26224b1911f1f911f93243ac1e33500e2d4db6bb5d025e5a4035846c1900fc2a0f047643
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5ded7e8aa0e985da033a86225a209a2bb
SHA14846b0b84c94a1014ef92adec5db3d2c7986db35
SHA256e8245770ab3e8ad9112746a7d0cef8ed99f0de7e2bc783402a1d8c48c3839381
SHA51224bc57fe5716fed1e0f8d59f9cfc85f339b9774e06f3f7ac6ade19813cf114512c8bb5cb16d0ab387fce18b4a4036de6f931552cf8c50f4438e0ff8fb71671fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD56b1192cad7f85cd52d57aa4b284e2bd0
SHA17b1a36833d2c3a0bbaad487d441b430e891bb345
SHA2560c5f4d7868fb5c6effa7206ff864788ed20f464e1958ff7123ec5ad67c889445
SHA512669c4cf85af797856cbd1aa4097ee04c9f80ce111bcd8c358085934f3001bf928ad832feee5cf2691cf58af42b1af10f7cc5ba164b0093df5f7eb8de8715aac2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD507a66330d7a2643381373dd71c45a342
SHA185b77df6e000ef24c5392019240cc3b95ba18823
SHA2569fe157908b6713380232d6b863dcd55e2a518a3bfc33e1deffb7b69b83267971
SHA5128e843db7a407ecb6e1942b9e6fab2671811ab24b37952f494e8ca6d723a69a4745bc8f399fbb929e6d764e667f4f6214b18918b02cafe55aae2a197977a5a32a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD54a877dcc77cf6cf808833bedea4b4350
SHA10bfcd0e0d50c63f9640436b7602715d7bbed8771
SHA256a9f84a288486089176ac480b5f31b94defe0643358e09781325654704f01d385
SHA512b3d28b375cd0ad0be745ced9e7eb0f0170e71f043a56c14e6834d63aa631aaf6e9117fa56ce445bc50f5befe4c4000b783fa0287448cc0715a025001396e158e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize432B
MD57282f825881ec088e4df20633e17ab78
SHA1fe5ba009ac37ad52ba660fa01f830b99e75ce52e
SHA25692ea0cae4fd4d32d3e969409c38b3a64cf8055a5cee30fbbc154029464817852
SHA512e20536ce84e1dc1f04dd659b85a838706339a0ecf2e1f88b17a9383e7d7bc748001db23ca7acfa9209431715ff89a5ed4a9feb73f8e35d61c08ec854ff911c04
-
Filesize
152B
MD51af9fbc1d4655baf2df9e8948103d616
SHA1c58d5c208d0d5aab5b6979b64102b0086799b0bf
SHA256e83daa7b2af963dbb884d82919710164e2337f0f9f5e5c56ee4b7129d160c135
SHA512714d0ff527a8a24ec5d32a0a2b74e402ee933ea86e42d3e2fb5615c8345e6c09aa1c2ddf2dea53d71c5a666483a3b494b894326fea0cc1d8a06d3b32ec9397d3
-
Filesize
152B
MD5aa6f46176fbc19ccf3e361dc1135ece0
SHA1cb1f8c693b88331e9513b77efe47be9e43c43b12
SHA2562f5ba493c7c4192e9310cea3a96cfec4fd14c6285af6e3659627ab177e560819
SHA5125d26fdffebeb1eb5adde9f7da19fe7069e364d3f68670013cb0cc3e2b40bf1fbcb9bdebbfe999747caf141c88ccd53bd4acf2074283e4bde46b8c28fbae296f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize384B
MD57dda0b59a2e1eda50ea133d956fc900e
SHA11a04582e801e1fe5380f4ae03d39e5a43fb298d9
SHA2561168307c9505d2cbababc93222c9588dd7e0fe02d5c84c951114bf9a7793c7a9
SHA512a3dcf5fea7521f40d34cb3236ccd48f6dcb7a169407a6aab419a393a544cc0732b3740c3d9be9b6e093a4d1037f1c7ad612d3433e32cd08a1b09dff99183cb10
-
Filesize
3KB
MD5833c6b764985ae8d2b2d5d52ae052054
SHA1e58783789bda821736b88400f6eac9bd08a69e8a
SHA2566277a3978347eff9010ed53ad0aae2d27a5997942b431bc96c3c8fde02367733
SHA51261d73b6cc9e6d54f6ae6809f3cf3f563c77275e4a825d2c6ad0391b26122ce1183cf47943641234bd3de6ed720ad636b8a182c312e76384d9ebafc6125b1ae11
-
Filesize
6KB
MD52acf349d252a81658abed48e81d6edc7
SHA19e31c56190c5d87a65daaea1cf3f006ad8e9aee9
SHA2566df7f20de5cdd7b6032faf8ff1e4e8ac432511fb8db81aa7818a3f05707fcbae
SHA512882314d7d733a9415685312b2b8fa6e7a4d176366f50d282f46fe964868e866df9b0d3ff2dfb470d49d51f8749081822b123a4ec8f0d7ff4de81b041eea91fd4
-
Filesize
7KB
MD50ecc557435f77bec36a5d5d45d570675
SHA1ca7e72827c2b6a12a4bd661971756b9eba3ec251
SHA25628e843224641559061e81f01cdfff4af729c4cbffd88d4f56e8d30bb7f2b04b7
SHA51287a540c41de69f00f8f77e2bfe5925e15d85366869c29fc613dc1100da7e48b55214916d986e532b05c6605c00b9ec83a9ced4af503a5662c6cf97e818e86759
-
Filesize
7KB
MD5eb6b31898f0a2408372a09001c64bfe0
SHA15ed5eff4653f7dc3df0d29d10fe28b364f128f4d
SHA25648ffea14e0860d9e821174000b195004716880e2ccd2b7bb6cf14e6d5de4e453
SHA512352b254e7ea7dc298d1c601acbe72ff123e60975d992d9e65d0084a795768818e8b8a1233e4b4af0ccd52937eb621d7bac81bc82a2b625a8018e745c8f2b353d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\aefd5468-6dec-4e51-a491-337b95e46621.tmp
Filesize3KB
MD5e366bf5764de52e350705d65a8167682
SHA146bd9de8249b09bbb4e0f1a8d4cb4b2a3e4ecb42
SHA25681fc6ef1df2939734d90423629fb28c3b55a6361b876b0d1a9caedd9df1fea73
SHA5122b64bc3dd2bef0ccf0cd87d785fec4be2ce302f6278de8cedae3580947d6b285288c884fb175aa7c39d98d5e2fd5a9df2855606c1ef9912db10e5f4a1badf0da
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5316ac6fcc587c947bc867d5fae0e013c
SHA17cd615b61c689c21602395fca308ca84e5825561
SHA2567e2e9f306cb405505874901071de695cae5054f683b0defb25de141fe13b61a9
SHA5122ee71b62da6c9862871ea86132c8d923a65de4fa81bf9830b9e3ad961ea1e0449d2522acbeeac4f7983194c8e14e84774466511abaa118933ff4784c1cc00e59
-
Filesize
12KB
MD5ece9185e0d9a7c309cd13ea2312732b3
SHA13d3f0032c0b4024b4ffe4705dd102c4157b14c49
SHA256094f3fd5732e8ed2857f1d8bc5490441dcbf2eedb49ab7a5d86455ae118b90cb
SHA512e2d675d02d41a2ae189421da9b795038b3a6f5c8b3a77937b0afb2241c7c2e54148ae0e574f60b4178a256b5b0e3c3d830275f98bd46bf95c3d90f25850206fc
-
Filesize
163B
MD5bedbf7d7d69748886e9b48f45c75fbbe
SHA1aa0789d89bfbd44ca1bffe83851af95b6afb012c
SHA256b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61
SHA5127dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4H73KQW1\version-70a2467227df4077-rbxPkgManifest[2].txt
Filesize1KB
MD556391f65239bdb2eac877d841a63a964
SHA174956b20cd045ee4eb7bc07623eb43113d5afffa
SHA256184f6d4cf6105a41c4b651c2f72d7134fe01c0e5824b489b869041f96325fabf
SHA512351eec5e076340835cbe623610fe44a763071d381fb6aea07b02e7dc594c1a3f28c55afe08ffb156e03b001475049c024e390d22487d9d398094f33fa334d0be
-
Filesize
119B
MD536f9d29123e6d3ba11fc0606e118b42e
SHA1a01ab621c0a4ef112f3c8a22af45335377c6ea6b
SHA25639b4d267880abe6cbbc9db4e89152a3faec2e1f0ea9f4ee208382326f5d1bdf2
SHA5125c07a9b4abc9f9f5daddb3afad82d08f827375085cb17c645b6da321f1f27d406006ab76b47544978f9785ca195ad63cd3123ebf1ce5717adb64204a4aeda680
-
Filesize
5KB
MD580f5562d56a0678d0f21382c9c701ce8
SHA19a6b7401d30bc99744535ce93fd6a07b70d57ca5
SHA256c90ff6ae2e4089e3a7153c1aef453c7b5a881c7fcbfb2ec89cb52cab3cc0a61d
SHA5120c74a4c828942f7457d69a33d65a6315c0c9a6313c764149d47f5145ecf58c76a38bfdefb45331eeeb9ca0fbf5bd92a5cce4790e4c6b318865dee36474a456fe
-
Filesize
2.9MB
MD5996268fe4ef34454342c3831dab75ca3
SHA1d2a69ccb314c39a520ecbb1a1d93460b1a639695
SHA256922b8ec2afeb764f48aca9425d72038d2d140ded5d67c16d5d538d41e6e470e3
SHA512ee5967f29674342f516e2baccb98301b8ce6987d863bee2150b4863dc8a6ca485710e21d9fff0d0a370b5ee0623b8573f8c280241ce34b7f870809e93adf32b1
-
Filesize
5.0MB
MD5e5d3b8a1a30406c5f0899e94020cc821
SHA137351bacdd4f8edee07dfecd1ed14fcfee18eb18
SHA2562a5b535ccd9620aff782560722a034f5a2556a11df84e9bfe62c0b84fc86228d
SHA5128003f619e281870ef33dfd775191dfd697deb7d2f0a4e0b4ce68a0b80514aa9ee6bdbae6eaaa1289030c31b2460d62b6091fb8f2cda18f41ffac6b7443d32955
-
Filesize
388KB
MD5af5b3abd1d821836044b08ba28df46ae
SHA1b25d21701765b306e63815fa8cdccec0ca9dcb76
SHA25617e173d99d768543379f4a6383e9b5f75adaeb440d64efcfb2786c9d0ac87619
SHA512ebea6cbd07c94603b721bcaa986f9b6ee792fb774389ae85c39fe57222c918773e9c01fdd55fa094f92ac688254aa529fa6127edaa2da5f878963cad93f808b2
-
Filesize
256KB
MD501d8527854ca91b35943e764f4fcf476
SHA19c29532987fce808beeca1b8acd69aff1f0d7d28
SHA2560e98f1d3260df1b9f94182c7e53314cb7585a9f185e362d66bd30f2d94a0d9d0
SHA51270e0f68c87bf3eae282edb1360817b3c123b4eb57c26c6de251b5581f296ca10b595924cb624bf2ba13c5ae94545a6e1a47264a4d2966478a2f074b07da87618
-
Filesize
40B
MD5da63eae2d8fb7945af1256ab196934aa
SHA19cdbbd701abe8942e562027179f6bf3f50d91c6c
SHA25690ed351946919a52d39445d6f310ec3b09f8ae9de52076de185c47d12100f236
SHA5126d72d6fa7d9240fa4c676b12f39a49ff1fc49a154d77c6a6580beab7df5bd6929b722945affb5f28ef315428a5ff9052e191f4e1b6f9d427687bba666abb25f9
-
Filesize
1.9MB
MD5e0d469608e3b8f4db1757c7cf6e8e0e6
SHA1c7b4e5640a93b844a991fd74b2f6d1a82455a29b
SHA256720a43d6d3c05dbade13d1f6f6b0076965e633444f182e8f025fcd85b69262dc
SHA5128a5a33390a5063df1ec9a38ca506c1eb7c6fcc60daad2f8e84bff07f7f0978f331976a25e5356216f0c4c661cc1175fb08aedb2a8252f14f1cbd76df3f8bbbe0
-
Filesize
930KB
MD55a5cae20c9d5363da2bb928d0ccd51d5
SHA1340c09e7bb69007fd78613e9bb89715e41c86ab6
SHA25632df8259a48e9b2ec71e44b4070732137c87c8819e989fc219fa8d5fff2a4c27
SHA5124c951a74f1ab5f99b27a6a1d310b728cc313b3bdc64fd615f9c58f4d6b30c4ed47e6765a4f84ef8a02105f508a096e6a61f9c3b0237abcf7bda57615e7c60680
-
Filesize
2.0MB
MD53e9096cf7b611be32527248a465bede7
SHA1834294c154998e00c8fe098816e756ddd2efe6b1
SHA256fc737414f262d4ad2bcb6757e1978efbd4f00f5d5666a5d142e93391e0565515
SHA51205065d887c0f4206b99071aba3e41c5c6565c50834803344fe5375aabff107bebcf5f4bf7df0f4ee92b7fc9b317cec3624a5dabfa1ae5e449550c0fa9853ac0c