Resubmissions

23/02/2024, 11:54

240223-n2w51sfh88 8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2024, 11:54

General

  • Target

    https://drive.google.com/file/d/147wBd9SNBhObfNefkk4Mcp7QJVFFYbGc/view?pli=1

Malware Config

Signatures

  • Downloads MZ/PE file
  • Sets file execution options in registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Registers COM server for autorun 1 TTPs 33 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Checks system information in the registry 2 TTPs 8 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/147wBd9SNBhObfNefkk4Mcp7QJVFFYbGc/view?pli=1
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaeda446f8,0x7ffaeda44708,0x7ffaeda44718
      2⤵
        PID:5012
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2984
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
        2⤵
          PID:2960
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
          2⤵
            PID:2120
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
            2⤵
              PID:5096
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:1796
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
                2⤵
                  PID:4932
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
                  2⤵
                    PID:2152
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4820
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
                    2⤵
                      PID:3500
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
                      2⤵
                        PID:1960
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
                        2⤵
                          PID:4300
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                          2⤵
                            PID:4172
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
                            2⤵
                              PID:2976
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                              2⤵
                                PID:1420
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
                                2⤵
                                  PID:4172
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6936 /prefetch:8
                                  2⤵
                                    PID:1348
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:8
                                    2⤵
                                      PID:5072
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3048
                                    • C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe
                                      "C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe"
                                      2⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      PID:1412
                                      • C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe
                                        "C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=de7347e1fb5c5730c209cc15c480e575fad25570 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x74c,0x750,0x754,0x660,0x75c,0x982bfc,0x982c0c,0x982c1c
                                        3⤵
                                        • Executes dropped EXE
                                        PID:732
                                      • C:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exe
                                        "C:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exe"
                                        3⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Drops file in Program Files directory
                                        • Modifies Internet Explorer settings
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3656
                                        • C:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exe
                                          C:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=33db88719123bd6e70c8be814e9c3adf0810f627 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x52c,0x558,0x55c,0x524,0x578,0x17c86c0,0x17c86d0,0x17c86e0
                                          4⤵
                                          • Executes dropped EXE
                                          PID:4252
                                        • C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
                                          MicrosoftEdgeWebview2Setup.exe /silent /install
                                          4⤵
                                          • Executes dropped EXE
                                          • Drops file in Program Files directory
                                          PID:5224
                                          • C:\Program Files (x86)\Microsoft\Temp\EUCDCB.tmp\MicrosoftEdgeUpdate.exe
                                            "C:\Program Files (x86)\Microsoft\Temp\EUCDCB.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
                                            5⤵
                                            • Sets file execution options in registry
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Checks system information in the registry
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5660
                                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
                                              6⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Modifies registry class
                                              PID:3140
                                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
                                              6⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Modifies registry class
                                              PID:5656
                                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
                                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
                                                7⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Registers COM server for autorun
                                                • Modifies registry class
                                                PID:5632
                                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
                                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
                                                7⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Registers COM server for autorun
                                                • Modifies registry class
                                                PID:5844
                                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
                                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
                                                7⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Registers COM server for autorun
                                                • Modifies registry class
                                                PID:4604
                                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUYyRTEwMDYtQzAyRS00RUUxLTg1MkEtNkJBOUIwQUMwMjIyfSIgdXNlcmlkPSJ7OTExNEVENTUtMzBFOC00NzRFLTlBMzEtRkFBRUI5NTI3NkM1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4NEE5QTI2Ri1CMjQ3LTQzRDctQkE4Qy01OTlGREREQjg4NzB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xODMuMjkiIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTcxNTY4ODU5IiBpbnN0YWxsX3RpbWVfbXM9IjY4MiIvPjwvYXBwPjwvcmVxdWVzdD4
                                              6⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Checks system information in the registry
                                              PID:5928
                                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{EF2E1006-C02E-4EE1-852A-6BA9B0AC0222}" /silent
                                              6⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:2076
                                    • C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe
                                      "C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe"
                                      2⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      PID:3744
                                      • C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe
                                        "C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=de7347e1fb5c5730c209cc15c480e575fad25570 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x50c,0x510,0x514,0x4e8,0x534,0x982bfc,0x982c0c,0x982c1c
                                        3⤵
                                        • Executes dropped EXE
                                        PID:4188
                                      • C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe
                                        "C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe"
                                        3⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        PID:3044
                                        • C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe
                                          C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=zflag --annotation=RobloxGitHash=33db88719123bd6e70c8be814e9c3adf0810f627 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=25 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x714,0x718,0x71c,0x69c,0x724,0xe586c0,0xe586d0,0xe586e0
                                          4⤵
                                          • Executes dropped EXE
                                          PID:5280
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11478616842355002895,5006267003049728451,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3140 /prefetch:2
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:5572
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:1072
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:2460
                                      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
                                        1⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Checks system information in the registry
                                        • Modifies data under HKEY_USERS
                                        PID:5996
                                        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                                          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUYyRTEwMDYtQzAyRS00RUUxLTg1MkEtNkJBOUIwQUMwMjIyfSIgdXNlcmlkPSJ7OTExNEVENTUtMzBFOC00NzRFLTlBMzEtRkFBRUI5NTI3NkM1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBODlDMTU5NS01MzFDLTQxNzItQjc1OS0zNEY0N0I3MTg4MkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTc2Mzc4NTI0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
                                          2⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Checks system information in the registry
                                          PID:6028
                                        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\MicrosoftEdge_X64_121.0.2277.128.exe
                                          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
                                          2⤵
                                          • Executes dropped EXE
                                          PID:5208
                                          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe
                                            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
                                            3⤵
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            PID:5148
                                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe
                                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FD52D46A-5544-452D-AB1B-C09DD07129F1}\EDGEMITMP_2C5A4.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=121.0.2277.128 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7ccbd1d88,0x7ff7ccbd1d94,0x7ff7ccbd1da0
                                              4⤵
                                              • Executes dropped EXE
                                              PID:5512

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Installer\setup.exe

                                              Filesize

                                              6.6MB

                                              MD5

                                              7a4813d6dba0b2abf7376d79e068afb9

                                              SHA1

                                              a790f1518cb919875b603fc180e92f96c9e076f1

                                              SHA256

                                              dec061040fb655f176211bc8a3fc3a0c6d096f23d35129804a98261f1534447e

                                              SHA512

                                              6d93407376271abb5c902b6f508c33c83fa7e69fb192a61efa4d7a825b7abfdbfdf7b8a5f934857082a2976cd9cfcdfae1d76596aa4a2f1bebb3d712e6f6e4b4

                                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\121.0.2277.128\MicrosoftEdge_X64_121.0.2277.128.exe

                                              Filesize

                                              25.3MB

                                              MD5

                                              af8c38a67e793e7a7c6fd302021c012c

                                              SHA1

                                              90733455c8eaad784d11dad85728e45e730d475b

                                              SHA256

                                              2f78c13997ee0e278b3461ac034beb462d2599b3f71ec828fc73db0857b3ceae

                                              SHA512

                                              49f3b084f6c7967c73a0b312c20e785d6703e0c2f65e1fa8051868baf8e56964ac0c7ed85ea7345668d11366757b17d45201307012fa70f24ba13ffbf1eca46f

                                            • C:\Program Files (x86)\Microsoft\Temp\EUCDCB.tmp\MicrosoftEdgeUpdate.exe

                                              Filesize

                                              201KB

                                              MD5

                                              4dc57ab56e37cd05e81f0d8aaafc5179

                                              SHA1

                                              494a90728d7680f979b0ad87f09b5b58f16d1cd5

                                              SHA256

                                              87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

                                              SHA512

                                              320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

                                            • C:\Program Files (x86)\Microsoft\Temp\EUCDCB.tmp\msedgeupdate.dll

                                              Filesize

                                              2.0MB

                                              MD5

                                              965b3af7886e7bf6584488658c050ca2

                                              SHA1

                                              72daabdde7cd500c483d0eeecb1bd19708f8e4a5

                                              SHA256

                                              d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19

                                              SHA512

                                              1c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4

                                            • C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

                                              Filesize

                                              4.9MB

                                              MD5

                                              a502990d5df008eb385b5862f37c3a6c

                                              SHA1

                                              e6c92247d2ec0a7e823910f096d72a661da19db8

                                              SHA256

                                              b9a56ff86f4f6d7ca4c91aba67b55e8487dcd0c31ea75fb8664a4f28aa0411b1

                                              SHA512

                                              ff99f05a31be147e15cbfc41d9d9f371749c61dac22c2e46d73a807376c2ef8254f87c83b0d385df8f6d6262a35d95a6ea9790dde10bbb4046ecd6ed1262cbc7

                                            • C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\RobloxPlayerInstaller.exe

                                              Filesize

                                              4.6MB

                                              MD5

                                              884f182558478768a43de12bbb5bd168

                                              SHA1

                                              831ce37ca2289cf123733306077b936c9407319d

                                              SHA256

                                              bb4fa744d72612edd395213bba74efe233464cc8707ec55aa85052b6211757b4

                                              SHA512

                                              665e957a508547a673ec354ef8008e16058e7aa50f1520e0539940c99beb35b9375c9546efa3dab58ced01a80c95a68ed17c76350efde3472da625ea877043ff

                                            • C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              610b1b60dc8729bad759c92f82ee2804

                                              SHA1

                                              9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

                                              SHA256

                                              921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

                                              SHA512

                                              0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

                                            • C:\Program Files\MsEdgeCrashpad\settings.dat

                                              Filesize

                                              280B

                                              MD5

                                              aba61180781adb538821fabc58e294c2

                                              SHA1

                                              2bafd7d101043bdaf5aaad412e865cf9d4cd70e9

                                              SHA256

                                              ce2577b364e9a7fd2a9a6506a40e6fd59110084156f6164f87f6225f53d589ef

                                              SHA512

                                              240aaf0e37982f25d4c8a9c6e708dd0cd17a61635dc0da31ae8799392117d4b30d6ee15af419664d9fedda24c6ed2887ecd2306f39f0ee70de51fa9ce1c9ca1a

                                            • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

                                              Filesize

                                              101KB

                                              MD5

                                              c0cc710fe861352bbd925d8a030ed3a6

                                              SHA1

                                              1af5f84d55d294187283457f5ec45f78487b1dcb

                                              SHA256

                                              80e6340a0111867c4f8d4b2eb1e90821bf27b6c98a38e38053709ac7232bf136

                                              SHA512

                                              6ace26711b110555a660456d3cc844ffa14f873f66e9f6e97c2c1ebc352a9c181320bf1cd66fee338d2bbaf91f8c48d45ca14c3023fff7e02c5772de3cff7408

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

                                              Filesize

                                              2KB

                                              MD5

                                              b8a3e9155f3cce26002fc47b27aadf2d

                                              SHA1

                                              606c275b884fddf4aa5507ea4045ccc8c3749583

                                              SHA256

                                              922d6d2e6f88db3e1c365462302dd6509f95d48a0e28f4c59f496ee82aacf869

                                              SHA512

                                              050539f8a49b35db31ae5c7cf7166953b2ba5364b5973a10f4323482daa92f74a6850a09032542f0be4b34b97b97cf6d78d3da55c42fdfa9da4ed80cbb6c3a50

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_644C4AFE7F6A4CA604A4A98F3EDFB7E0

                                              Filesize

                                              471B

                                              MD5

                                              6f7ff7cb27893eb27f0d9198f55d5442

                                              SHA1

                                              5dc0fa4feb0cbbb6eff1b1d237b5f40f5bdbb2c1

                                              SHA256

                                              3f0611d2e39d9b2d178221ac742cd788836c3cb42b4ccee3b4cea929feca4b5d

                                              SHA512

                                              4447a993720b9410891174033f8271cd3a7786d30b544f2ad9495db21bb873f1fe67e8c0bd699a445de049f6243f984a3fc9c568c9a48e5a21cc6f5eace51056

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_A8DA4A611FFDE9335F5D0BEF76AAFDD4

                                              Filesize

                                              471B

                                              MD5

                                              efd16ca1696b31fc8517a30dc6034c87

                                              SHA1

                                              f62372c7059043d4b6fa45c4168d7c2e6d7c898d

                                              SHA256

                                              7dba8dc8b2c7fd536330e57c5add08804b29f2664ee9a9cebe977ab4f8e2bb5b

                                              SHA512

                                              1527a1e9cab55c03bf1d944a88289ec027b04e557ca9ab53151aab5ccd1a21c634178754440fe776c574a18be42a305de0f534e04edfe1aaab7a5fbf961c4b25

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

                                              Filesize

                                              1KB

                                              MD5

                                              218c7d1455047696e539b1babb2b339d

                                              SHA1

                                              b9cd7ce46b66ade9b0a5e2444396929dace1f568

                                              SHA256

                                              2761ad10ac34aba20d29dbe8560f13e7144c04350464e8ac88144835b0396be3

                                              SHA512

                                              d690abcfab2658c40df1abb4ba6cd1f867760d5711b83339f91e0d669a6024b51bd192bb05ba3ec909dddc49ead674bf2ad0cdbee4dc6bff3118b1e1589d672a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                                              Filesize

                                              1KB

                                              MD5

                                              d2880c8237a99b270a87683705222de4

                                              SHA1

                                              14e02e07f4939698ef26a56e4ee377636b5e23b5

                                              SHA256

                                              8fa7d1a5d4706b3ac7fc8155a5cc2c92213e5d824416bd3f0e7c1851fded4e13

                                              SHA512

                                              67bbd513520d2f8b0736b1dcaabb7a002aec0b0b706a03739fdcf57c45fbde844bca550c1043da9094ac6a7f9e86649d72c76a7b29ef90d36262e47c402baa34

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

                                              Filesize

                                              471B

                                              MD5

                                              4f71907417c370d5ba51cb3d29eb3c6e

                                              SHA1

                                              bae827085de5ca56b1c6a5ff34e7d22b4f6bce6c

                                              SHA256

                                              f1af602061d0e5cacf66f52a79d807528b55a2219d6360f375bf4b51632bda0f

                                              SHA512

                                              fb5c4f2e50ae34f533ded1e6433fe5a896c6a7a443d0b9eaf9df1078ccea16d6fe1510f5cbe9cd7c8a34e542ff8e11e5169868907d04b483eccd7bb331ffcdaa

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

                                              Filesize

                                              2KB

                                              MD5

                                              5f269d75d2d9906614322fb028febc29

                                              SHA1

                                              c47c12110437106d301c5547b3c4a075f953f16f

                                              SHA256

                                              ff7fe1ff4947c8addec0fd1d65420e634ddaae6be3934b60f982c092140dbafa

                                              SHA512

                                              b78fde9691610252537af73f49862684a750a2d50d6ac58b9dbdd6dc0858875d8b9971ccf6345c83e7550245dfd8a6a4b4aed7ecda85564b1c944493b5c70217

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

                                              Filesize

                                              1KB

                                              MD5

                                              ac0252a6c8673fa50bdf2961dd6bd471

                                              SHA1

                                              d4a096f0d135df10b1c9cdbaed123f1f0377cb1c

                                              SHA256

                                              19122c391d8cc9a95017536b2c46b10bc80c2ee932ae4bb99bc10ac87f6ae130

                                              SHA512

                                              899ee2c274dfef70520a25b5ac744c55c3a513a68f327ab692c8584ddf8d69a51fa5191820d6bed84bbd2e2a1b61fdccccb85b9f3d3866ed4be70e48c6ca2ca0

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

                                              Filesize

                                              488B

                                              MD5

                                              061a15446b9bfd6a48c125cf8fc2426a

                                              SHA1

                                              5df57ecc83f311cb4aec1fd8182455eb50487a87

                                              SHA256

                                              576be89a169f8507853fd34c21da66faebc77ac0d51efc188724588f0040748b

                                              SHA512

                                              4c80d71e9ef182a52cb20ba33118d62b258dc188628548857a1be8b7ce5c2c968ecf2d01a17545e4f47defdd1eec081f8ac6f7ec1f6744dc6975c76b72f765b8

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_644C4AFE7F6A4CA604A4A98F3EDFB7E0

                                              Filesize

                                              488B

                                              MD5

                                              6fc7eee032434f64ba5a396520216b30

                                              SHA1

                                              0589eeac7925c38ca432713555382e8a1ac5c03e

                                              SHA256

                                              18c18666046cf043f2db382b136a4fd7b6c8951e4f1a12f8eb36c2841959f8a6

                                              SHA512

                                              98945ce826125ca58e40cb1828ed9dc3d173ee165190486983c9085fc682f55fa06f87853bd4d5b6282cf87d85c9fa91b1b197dd3edc03675b920b5556f3742a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_A8DA4A611FFDE9335F5D0BEF76AAFDD4

                                              Filesize

                                              488B

                                              MD5

                                              db4e0671badf6dbbfd65335862d34750

                                              SHA1

                                              0ff2e68b6c0521e0ff953e9e992bb9dbded7c13c

                                              SHA256

                                              92c662fb7a8f17e6fd97f1611823a7691d71b584a4673044e1f620fbe4b524f7

                                              SHA512

                                              93e9d5ec50cbc31cd39e96505b2cc27d30397b30b92259bf3db1d35d9566ed404c457327983f0870d8ddc833500d2fe394073329e74f564086df1627d6ac7a24

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

                                              Filesize

                                              434B

                                              MD5

                                              155d8eb3a8facd41bd751763120fd15a

                                              SHA1

                                              f99458ec9e5dd4c774883993490301509d7cafb2

                                              SHA256

                                              b4d2a8a5592b2ee9b5d119e6a5f85d3822e50c55bd79c7948c158d58549918ef

                                              SHA512

                                              389084f7534e21cf6723a0dffbd73a8b9dec096da05e968a812de741fc554769ba6176d256fdc7a89b4ecfb8e100fa30af9e47ef060e0013497021807b8c0ce5

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

                                              Filesize

                                              434B

                                              MD5

                                              9f15a3a0423335ce2448eec91541c46f

                                              SHA1

                                              696f11346e7b57f92c91066eeee15603183db9e2

                                              SHA256

                                              d940a47083de4df6cc154f77a7b05c256959f971e91f3fe23b3ae171a875a22c

                                              SHA512

                                              6d8241d8fdd85a1d02ccbd672d6c68fb11a64181f99c1eff29c753ea26224b1911f1f911f93243ac1e33500e2d4db6bb5d025e5a4035846c1900fc2a0f047643

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                                              Filesize

                                              482B

                                              MD5

                                              ded7e8aa0e985da033a86225a209a2bb

                                              SHA1

                                              4846b0b84c94a1014ef92adec5db3d2c7986db35

                                              SHA256

                                              e8245770ab3e8ad9112746a7d0cef8ed99f0de7e2bc783402a1d8c48c3839381

                                              SHA512

                                              24bc57fe5716fed1e0f8d59f9cfc85f339b9774e06f3f7ac6ade19813cf114512c8bb5cb16d0ab387fce18b4a4036de6f931552cf8c50f4438e0ff8fb71671fd

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

                                              Filesize

                                              400B

                                              MD5

                                              6b1192cad7f85cd52d57aa4b284e2bd0

                                              SHA1

                                              7b1a36833d2c3a0bbaad487d441b430e891bb345

                                              SHA256

                                              0c5f4d7868fb5c6effa7206ff864788ed20f464e1958ff7123ec5ad67c889445

                                              SHA512

                                              669c4cf85af797856cbd1aa4097ee04c9f80ce111bcd8c358085934f3001bf928ad832feee5cf2691cf58af42b1af10f7cc5ba164b0093df5f7eb8de8715aac2

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

                                              Filesize

                                              458B

                                              MD5

                                              07a66330d7a2643381373dd71c45a342

                                              SHA1

                                              85b77df6e000ef24c5392019240cc3b95ba18823

                                              SHA256

                                              9fe157908b6713380232d6b863dcd55e2a518a3bfc33e1deffb7b69b83267971

                                              SHA512

                                              8e843db7a407ecb6e1942b9e6fab2671811ab24b37952f494e8ca6d723a69a4745bc8f399fbb929e6d764e667f4f6214b18918b02cafe55aae2a197977a5a32a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

                                              Filesize

                                              458B

                                              MD5

                                              4a877dcc77cf6cf808833bedea4b4350

                                              SHA1

                                              0bfcd0e0d50c63f9640436b7602715d7bbed8771

                                              SHA256

                                              a9f84a288486089176ac480b5f31b94defe0643358e09781325654704f01d385

                                              SHA512

                                              b3d28b375cd0ad0be745ced9e7eb0f0170e71f043a56c14e6834d63aa631aaf6e9117fa56ce445bc50f5befe4c4000b783fa0287448cc0715a025001396e158e

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

                                              Filesize

                                              432B

                                              MD5

                                              7282f825881ec088e4df20633e17ab78

                                              SHA1

                                              fe5ba009ac37ad52ba660fa01f830b99e75ce52e

                                              SHA256

                                              92ea0cae4fd4d32d3e969409c38b3a64cf8055a5cee30fbbc154029464817852

                                              SHA512

                                              e20536ce84e1dc1f04dd659b85a838706339a0ecf2e1f88b17a9383e7d7bc748001db23ca7acfa9209431715ff89a5ed4a9feb73f8e35d61c08ec854ff911c04

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              1af9fbc1d4655baf2df9e8948103d616

                                              SHA1

                                              c58d5c208d0d5aab5b6979b64102b0086799b0bf

                                              SHA256

                                              e83daa7b2af963dbb884d82919710164e2337f0f9f5e5c56ee4b7129d160c135

                                              SHA512

                                              714d0ff527a8a24ec5d32a0a2b74e402ee933ea86e42d3e2fb5615c8345e6c09aa1c2ddf2dea53d71c5a666483a3b494b894326fea0cc1d8a06d3b32ec9397d3

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              aa6f46176fbc19ccf3e361dc1135ece0

                                              SHA1

                                              cb1f8c693b88331e9513b77efe47be9e43c43b12

                                              SHA256

                                              2f5ba493c7c4192e9310cea3a96cfec4fd14c6285af6e3659627ab177e560819

                                              SHA512

                                              5d26fdffebeb1eb5adde9f7da19fe7069e364d3f68670013cb0cc3e2b40bf1fbcb9bdebbfe999747caf141c88ccd53bd4acf2074283e4bde46b8c28fbae296f5

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              384B

                                              MD5

                                              7dda0b59a2e1eda50ea133d956fc900e

                                              SHA1

                                              1a04582e801e1fe5380f4ae03d39e5a43fb298d9

                                              SHA256

                                              1168307c9505d2cbababc93222c9588dd7e0fe02d5c84c951114bf9a7793c7a9

                                              SHA512

                                              a3dcf5fea7521f40d34cb3236ccd48f6dcb7a169407a6aab419a393a544cc0732b3740c3d9be9b6e093a4d1037f1c7ad612d3433e32cd08a1b09dff99183cb10

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                              Filesize

                                              3KB

                                              MD5

                                              833c6b764985ae8d2b2d5d52ae052054

                                              SHA1

                                              e58783789bda821736b88400f6eac9bd08a69e8a

                                              SHA256

                                              6277a3978347eff9010ed53ad0aae2d27a5997942b431bc96c3c8fde02367733

                                              SHA512

                                              61d73b6cc9e6d54f6ae6809f3cf3f563c77275e4a825d2c6ad0391b26122ce1183cf47943641234bd3de6ed720ad636b8a182c312e76384d9ebafc6125b1ae11

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              2acf349d252a81658abed48e81d6edc7

                                              SHA1

                                              9e31c56190c5d87a65daaea1cf3f006ad8e9aee9

                                              SHA256

                                              6df7f20de5cdd7b6032faf8ff1e4e8ac432511fb8db81aa7818a3f05707fcbae

                                              SHA512

                                              882314d7d733a9415685312b2b8fa6e7a4d176366f50d282f46fe964868e866df9b0d3ff2dfb470d49d51f8749081822b123a4ec8f0d7ff4de81b041eea91fd4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              7KB

                                              MD5

                                              0ecc557435f77bec36a5d5d45d570675

                                              SHA1

                                              ca7e72827c2b6a12a4bd661971756b9eba3ec251

                                              SHA256

                                              28e843224641559061e81f01cdfff4af729c4cbffd88d4f56e8d30bb7f2b04b7

                                              SHA512

                                              87a540c41de69f00f8f77e2bfe5925e15d85366869c29fc613dc1100da7e48b55214916d986e532b05c6605c00b9ec83a9ced4af503a5662c6cf97e818e86759

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              7KB

                                              MD5

                                              eb6b31898f0a2408372a09001c64bfe0

                                              SHA1

                                              5ed5eff4653f7dc3df0d29d10fe28b364f128f4d

                                              SHA256

                                              48ffea14e0860d9e821174000b195004716880e2ccd2b7bb6cf14e6d5de4e453

                                              SHA512

                                              352b254e7ea7dc298d1c601acbe72ff123e60975d992d9e65d0084a795768818e8b8a1233e4b4af0ccd52937eb621d7bac81bc82a2b625a8018e745c8f2b353d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\aefd5468-6dec-4e51-a491-337b95e46621.tmp

                                              Filesize

                                              3KB

                                              MD5

                                              e366bf5764de52e350705d65a8167682

                                              SHA1

                                              46bd9de8249b09bbb4e0f1a8d4cb4b2a3e4ecb42

                                              SHA256

                                              81fc6ef1df2939734d90423629fb28c3b55a6361b876b0d1a9caedd9df1fea73

                                              SHA512

                                              2b64bc3dd2bef0ccf0cd87d785fec4be2ce302f6278de8cedae3580947d6b285288c884fb175aa7c39d98d5e2fd5a9df2855606c1ef9912db10e5f4a1badf0da

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              316ac6fcc587c947bc867d5fae0e013c

                                              SHA1

                                              7cd615b61c689c21602395fca308ca84e5825561

                                              SHA256

                                              7e2e9f306cb405505874901071de695cae5054f683b0defb25de141fe13b61a9

                                              SHA512

                                              2ee71b62da6c9862871ea86132c8d923a65de4fa81bf9830b9e3ad961ea1e0449d2522acbeeac4f7983194c8e14e84774466511abaa118933ff4784c1cc00e59

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              12KB

                                              MD5

                                              ece9185e0d9a7c309cd13ea2312732b3

                                              SHA1

                                              3d3f0032c0b4024b4ffe4705dd102c4157b14c49

                                              SHA256

                                              094f3fd5732e8ed2857f1d8bc5490441dcbf2eedb49ab7a5d86455ae118b90cb

                                              SHA512

                                              e2d675d02d41a2ae189421da9b795038b3a6f5c8b3a77937b0afb2241c7c2e54148ae0e574f60b4178a256b5b0e3c3d830275f98bd46bf95c3d90f25850206fc

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4H73KQW1\BatchIncrement[1].json

                                              Filesize

                                              163B

                                              MD5

                                              bedbf7d7d69748886e9b48f45c75fbbe

                                              SHA1

                                              aa0789d89bfbd44ca1bffe83851af95b6afb012c

                                              SHA256

                                              b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

                                              SHA512

                                              7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4H73KQW1\version-70a2467227df4077-rbxPkgManifest[2].txt

                                              Filesize

                                              1KB

                                              MD5

                                              56391f65239bdb2eac877d841a63a964

                                              SHA1

                                              74956b20cd045ee4eb7bc07623eb43113d5afffa

                                              SHA256

                                              184f6d4cf6105a41c4b651c2f72d7134fe01c0e5824b489b869041f96325fabf

                                              SHA512

                                              351eec5e076340835cbe623610fe44a763071d381fb6aea07b02e7dc594c1a3f28c55afe08ffb156e03b001475049c024e390d22487d9d398094f33fa334d0be

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7YIFI4NV\WindowsPlayer[1].json

                                              Filesize

                                              119B

                                              MD5

                                              36f9d29123e6d3ba11fc0606e118b42e

                                              SHA1

                                              a01ab621c0a4ef112f3c8a22af45335377c6ea6b

                                              SHA256

                                              39b4d267880abe6cbbc9db4e89152a3faec2e1f0ea9f4ee208382326f5d1bdf2

                                              SHA512

                                              5c07a9b4abc9f9f5daddb3afad82d08f827375085cb17c645b6da321f1f27d406006ab76b47544978f9785ca195ad63cd3123ebf1ce5717adb64204a4aeda680

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\82TFE0W7\PCClientBootstrapper[1].json

                                              Filesize

                                              5KB

                                              MD5

                                              80f5562d56a0678d0f21382c9c701ce8

                                              SHA1

                                              9a6b7401d30bc99744535ce93fd6a07b70d57ca5

                                              SHA256

                                              c90ff6ae2e4089e3a7153c1aef453c7b5a881c7fcbfb2ec89cb52cab3cc0a61d

                                              SHA512

                                              0c74a4c828942f7457d69a33d65a6315c0c9a6313c764149d47f5145ecf58c76a38bfdefb45331eeeb9ca0fbf5bd92a5cce4790e4c6b318865dee36474a456fe

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y5QW02DS\RobloxPlayerLauncher[2].exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              996268fe4ef34454342c3831dab75ca3

                                              SHA1

                                              d2a69ccb314c39a520ecbb1a1d93460b1a639695

                                              SHA256

                                              922b8ec2afeb764f48aca9425d72038d2d140ded5d67c16d5d538d41e6e470e3

                                              SHA512

                                              ee5967f29674342f516e2baccb98301b8ce6987d863bee2150b4863dc8a6ca485710e21d9fff0d0a370b5ee0623b8573f8c280241ce34b7f870809e93adf32b1

                                            • C:\Users\Admin\AppData\Local\Temp\RBX-106ED498\RobloxPlayerLauncher.exe

                                              Filesize

                                              5.0MB

                                              MD5

                                              e5d3b8a1a30406c5f0899e94020cc821

                                              SHA1

                                              37351bacdd4f8edee07dfecd1ed14fcfee18eb18

                                              SHA256

                                              2a5b535ccd9620aff782560722a034f5a2556a11df84e9bfe62c0b84fc86228d

                                              SHA512

                                              8003f619e281870ef33dfd775191dfd697deb7d2f0a4e0b4ce68a0b80514aa9ee6bdbae6eaaa1289030c31b2460d62b6091fb8f2cda18f41ffac6b7443d32955

                                            • C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe

                                              Filesize

                                              388KB

                                              MD5

                                              af5b3abd1d821836044b08ba28df46ae

                                              SHA1

                                              b25d21701765b306e63815fa8cdccec0ca9dcb76

                                              SHA256

                                              17e173d99d768543379f4a6383e9b5f75adaeb440d64efcfb2786c9d0ac87619

                                              SHA512

                                              ebea6cbd07c94603b721bcaa986f9b6ee792fb774389ae85c39fe57222c918773e9c01fdd55fa094f92ac688254aa529fa6127edaa2da5f878963cad93f808b2

                                            • C:\Users\Admin\AppData\Local\Temp\RBX-F3E2CED7\RobloxPlayerLauncher.exe

                                              Filesize

                                              256KB

                                              MD5

                                              01d8527854ca91b35943e764f4fcf476

                                              SHA1

                                              9c29532987fce808beeca1b8acd69aff1f0d7d28

                                              SHA256

                                              0e98f1d3260df1b9f94182c7e53314cb7585a9f185e362d66bd30f2d94a0d9d0

                                              SHA512

                                              70e0f68c87bf3eae282edb1360817b3c123b4eb57c26c6de251b5581f296ca10b595924cb624bf2ba13c5ae94545a6e1a47264a4d2966478a2f074b07da87618

                                            • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

                                              Filesize

                                              40B

                                              MD5

                                              da63eae2d8fb7945af1256ab196934aa

                                              SHA1

                                              9cdbbd701abe8942e562027179f6bf3f50d91c6c

                                              SHA256

                                              90ed351946919a52d39445d6f310ec3b09f8ae9de52076de185c47d12100f236

                                              SHA512

                                              6d72d6fa7d9240fa4c676b12f39a49ff1fc49a154d77c6a6580beab7df5bd6929b722945affb5f28ef315428a5ff9052e191f4e1b6f9d427687bba666abb25f9

                                            • C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe

                                              Filesize

                                              1.9MB

                                              MD5

                                              e0d469608e3b8f4db1757c7cf6e8e0e6

                                              SHA1

                                              c7b4e5640a93b844a991fd74b2f6d1a82455a29b

                                              SHA256

                                              720a43d6d3c05dbade13d1f6f6b0076965e633444f182e8f025fcd85b69262dc

                                              SHA512

                                              8a5a33390a5063df1ec9a38ca506c1eb7c6fcc60daad2f8e84bff07f7f0978f331976a25e5356216f0c4c661cc1175fb08aedb2a8252f14f1cbd76df3f8bbbe0

                                            • C:\Users\Admin\Downloads\OLD ROBLOX INSTALLER.exe

                                              Filesize

                                              930KB

                                              MD5

                                              5a5cae20c9d5363da2bb928d0ccd51d5

                                              SHA1

                                              340c09e7bb69007fd78613e9bb89715e41c86ab6

                                              SHA256

                                              32df8259a48e9b2ec71e44b4070732137c87c8819e989fc219fa8d5fff2a4c27

                                              SHA512

                                              4c951a74f1ab5f99b27a6a1d310b728cc313b3bdc64fd615f9c58f4d6b30c4ed47e6765a4f84ef8a02105f508a096e6a61f9c3b0237abcf7bda57615e7c60680

                                            • C:\Users\Admin\Downloads\Unconfirmed 482451.crdownload

                                              Filesize

                                              2.0MB

                                              MD5

                                              3e9096cf7b611be32527248a465bede7

                                              SHA1

                                              834294c154998e00c8fe098816e756ddd2efe6b1

                                              SHA256

                                              fc737414f262d4ad2bcb6757e1978efbd4f00f5d5666a5d142e93391e0565515

                                              SHA512

                                              05065d887c0f4206b99071aba3e41c5c6565c50834803344fe5375aabff107bebcf5f4bf7df0f4ee92b7fc9b317cec3624a5dabfa1ae5e449550c0fa9853ac0c