Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 11:49
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation RobloxPlayerLauncher (1).exe Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation RobloxPlayerLauncher.exe -
Executes dropped EXE 18 IoCs
pid Process 924 RobloxPlayerLauncher (1).exe 2180 RobloxPlayerLauncher (1).exe 2516 RobloxPlayerLauncher.exe 2120 RobloxPlayerLauncher.exe 3672 MicrosoftEdgeWebview2Setup.exe 3120 MicrosoftEdgeUpdate.exe 676 MicrosoftEdgeUpdate.exe 1972 MicrosoftEdgeUpdate.exe 4892 MicrosoftEdgeUpdateComRegisterShell64.exe 2880 MicrosoftEdgeUpdateComRegisterShell64.exe 1524 MicrosoftEdgeUpdateComRegisterShell64.exe 4808 MicrosoftEdgeUpdate.exe 1064 MicrosoftEdgeUpdate.exe 3592 MicrosoftEdgeUpdate.exe 1492 MicrosoftEdgeUpdate.exe 3472 MicrosoftEdge_X64_121.0.2277.128.exe 1636 setup.exe 2880 setup.exe -
Loads dropped DLL 15 IoCs
pid Process 3120 MicrosoftEdgeUpdate.exe 676 MicrosoftEdgeUpdate.exe 1972 MicrosoftEdgeUpdate.exe 4892 MicrosoftEdgeUpdateComRegisterShell64.exe 1972 MicrosoftEdgeUpdate.exe 2880 MicrosoftEdgeUpdateComRegisterShell64.exe 1972 MicrosoftEdgeUpdate.exe 1524 MicrosoftEdgeUpdateComRegisterShell64.exe 1972 MicrosoftEdgeUpdate.exe 4808 MicrosoftEdgeUpdate.exe 1064 MicrosoftEdgeUpdate.exe 3592 MicrosoftEdgeUpdate.exe 3592 MicrosoftEdgeUpdate.exe 1064 MicrosoftEdgeUpdate.exe 1492 MicrosoftEdgeUpdate.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerLauncher (1).exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerLauncher.exe -
Checks system information in the registry 2 TTPs 8 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioToolbox\ProductOwned.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\scroll-top.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaApp\ExternalSite\roblox.png RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\sv.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\AnimationEditor\FaceCaptureUI\ReRecordButton.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioSharedUI\filter.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\particles\explosion01_shockwave_main.dds RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\GameSettings\Warning.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioToolbox\verified-badge-2x.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioToolbox\AssetConfig\listview.png RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\az.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\Cursors\DragDetector\ActivatedCursor.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\DefaultController\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA013.tmp\msedgeupdateres_cy.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\ca-Es-VALENCIA.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\glow.png RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\ur.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Settings\Help\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Extensions\external_extensions.json setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\fr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msvcp140.dll setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\AnimationEditor\img_key_indicator_border.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\AvatarImporter\img_dark_R15.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ManageCollaborators\FriendIcon_dark.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\TerrainTools\mtrl_woodplanks.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Settings\Help\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Settings\LeaveGame\gr-item selector-8px corner.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\VoiceChat\SpeakerLight\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\transformFiveDegrees.png RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\fil.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\PdfPreview\PdfPreviewHandler.dll setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\DeveloperFramework\AssetPreview\more.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\DesignSystem\DpadUp.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\VoiceChat\SpeakerDark\Unmuted60.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\VoiceChat\SpeakerLight\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\avatar\meshes\rightarm.mesh RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\TerrainTools\mt_smooth.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\sky\cloudDetail3D.dds RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioToolbox\AssetConfig\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\TerrainTools\import_toggleOn_dark.png RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\identity_proxy\win10\identity_helper.Sparse.Canary.msix setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\RoactStudioWidgets\toggle_on_light.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ViewSelector\top.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaChatV2\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\advancedMove_noJoint.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioToolbox\AssetConfig\onsale.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\TopBar\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaChat\9-slice\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA013.tmp\msedgeupdateres_mt.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioSharedUI\alert_error_withbg.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\DeveloperFramework\Votes\rating_up_red.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\TerrainTools\icon_shape_cylinder.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Emotes\Editor\Small\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\VoiceChat\SpeakerNew\[email protected] RobloxPlayerLauncher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\fa.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\AnimationEditor\image_keyframe_elastic_selected.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\StudioToolbox\AssetConfig\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\ui\Controls\DesignSystem\Thumbstick1.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\InGameMenu\TouchControls\touch_action_move_1.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\ExtraContent\textures\ui\LuaApp\graphic\gr-avatar-frame-36x36.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\AnimationEditor\img_timetag.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\content\textures\MaterialGenerator\Materials\Wood.png RobloxPlayerLauncher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerLauncher.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerLauncher.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\ = "Microsoft Edge Update Core Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\ = "Microsoft Edge Update CredentialDialog" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID MicrosoftEdgeUpdate.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 246766.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 498864.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3952 msedge.exe 3952 msedge.exe 688 msedge.exe 688 msedge.exe 4124 identity_helper.exe 4124 identity_helper.exe 4008 msedge.exe 4008 msedge.exe 2516 RobloxPlayerLauncher.exe 2516 RobloxPlayerLauncher.exe 3120 MicrosoftEdgeUpdate.exe 3120 MicrosoftEdgeUpdate.exe 944 msedge.exe 944 msedge.exe 944 msedge.exe 944 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3120 MicrosoftEdgeUpdate.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe 688 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 688 wrote to memory of 1208 688 msedge.exe 50 PID 688 wrote to memory of 1208 688 msedge.exe 50 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 816 688 msedge.exe 87 PID 688 wrote to memory of 3952 688 msedge.exe 86 PID 688 wrote to memory of 3952 688 msedge.exe 86 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88 PID 688 wrote to memory of 636 688 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.usercontent.google.com/download?id=12kd989V97CfalkewsTfvEHiqtU0VG3Ky&export=download&authuser=01⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2f8646f8,0x7ffa2f864708,0x7ffa2f8647182⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:12⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:2868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5220 /prefetch:82⤵PID:3480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:82⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1776 /prefetch:82⤵PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008
-
-
C:\Users\Admin\Downloads\RobloxPlayerLauncher (1).exe"C:\Users\Admin\Downloads\RobloxPlayerLauncher (1).exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
PID:924 -
C:\Users\Admin\Downloads\RobloxPlayerLauncher (1).exe"C:\Users\Admin\Downloads\RobloxPlayerLauncher (1).exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=zflag --annotation=RobloxGitHash=1d9f002e729bfec6bc8f6da3306d24b90d2cae1c --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=25 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x6b8,0x46c,0x6b0,0x764,0x6c0,0x1281c04,0x1281c14,0x1281c243⤵
- Executes dropped EXE
PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\RBX-C81FFB0D\RobloxPlayerLauncher.exe"C:\Users\Admin\AppData\Local\Temp\RBX-C81FFB0D\RobloxPlayerLauncher.exe" -channel zflag3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\RBX-C81FFB0D\RobloxPlayerLauncher.exeC:\Users\Admin\AppData\Local\Temp\RBX-C81FFB0D\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=zflag --annotation=RobloxGitHash=33db88719123bd6e70c8be814e9c3adf0810f627 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=25 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x578,0x57c,0x580,0x508,0x5b0,0x17986c0,0x17986d0,0x17986e04⤵
- Executes dropped EXE
PID:2120
-
-
C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeWebview2Setup.exe /silent /install4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3672 -
C:\Program Files (x86)\Microsoft\Temp\EUA013.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUA013.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"5⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:676
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1972 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4892
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2880
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1524
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0ZENEI2NjAtNjM2Qi00QjZBLUFGMEUtRjg5QzdGNUUwM0RCfSIgdXNlcmlkPSJ7RkE4NzZGN0ItOTNFQS00ODk1LThDNzEtMzBEQkEwMDQ4NjcwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0QUU3RDFCQS1DNTE4LTQyMzQtOEZCMC0yRUMyQkE4RTQ2N0V9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xODMuMjkiIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDU3ODY0MDg1IiBpbnN0YWxsX3RpbWVfbXM9IjU1OSIvPjwvYXBwPjwvcmVxdWVzdD46⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:4808
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{3FD4B660-636B-4B6A-AF0E-F89C7F5E03DB}" /silent6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4912525195357777029,9066042860865760132,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4604 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:944
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:756
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1580
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:3592 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0ZENEI2NjAtNjM2Qi00QjZBLUFGMEUtRjg5QzdGNUUwM0RCfSIgdXNlcmlkPSJ7RkE4NzZGN0ItOTNFQS00ODk1LThDNzEtMzBEQkEwMDQ4NjcwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBNzgyODY4Mi03N0I4LTQ4MDYtQTZEQi04RDNDOThCMjRBN0Z9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDYyMTQzOTY4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:1492
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{56878A9D-EEA1-44A7-B9C6-0B07FCE549E1}\MicrosoftEdge_X64_121.0.2277.128.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{56878A9D-EEA1-44A7-B9C6-0B07FCE549E1}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:3472 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{56878A9D-EEA1-44A7-B9C6-0B07FCE549E1}\EDGEMITMP_FDA14.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{56878A9D-EEA1-44A7-B9C6-0B07FCE549E1}\EDGEMITMP_FDA14.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{56878A9D-EEA1-44A7-B9C6-0B07FCE549E1}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1636 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{56878A9D-EEA1-44A7-B9C6-0B07FCE549E1}\EDGEMITMP_FDA14.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{56878A9D-EEA1-44A7-B9C6-0B07FCE549E1}\EDGEMITMP_FDA14.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{56878A9D-EEA1-44A7-B9C6-0B07FCE549E1}\EDGEMITMP_FDA14.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=121.0.2277.128 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6d2741d88,0x7ff6d2741d94,0x7ff6d2741da04⤵
- Executes dropped EXE
PID:2880
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD57a4813d6dba0b2abf7376d79e068afb9
SHA1a790f1518cb919875b603fc180e92f96c9e076f1
SHA256dec061040fb655f176211bc8a3fc3a0c6d096f23d35129804a98261f1534447e
SHA5126d93407376271abb5c902b6f508c33c83fa7e69fb192a61efa4d7a825b7abfdbfdf7b8a5f934857082a2976cd9cfcdfae1d76596aa4a2f1bebb3d712e6f6e4b4
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\121.0.2277.128\MicrosoftEdge_X64_121.0.2277.128.exe
Filesize166.9MB
MD5182ce781a75363fedee80ab8fa3f4938
SHA1b4e74d98940a11ed165fd37585850ef28e89ff8d
SHA2566d9a846b4c0437836b27f19e05d357f6747daaf70511d8cb13fee5cbb92f762c
SHA5126fadbaba3713058427cf41297f6e282c7d9ece0125579efabf0699f54e3cb6b44eb58857662917b94f1e7f47236fa9870e94408a9692ddbf5ae339d4e4a1f53a
-
Filesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
Filesize
179KB
MD57a160c6016922713345454265807f08d
SHA1e36ee184edd449252eb2dfd3016d5b0d2edad3c6
SHA25635a14bd84e74dd6d8e2683470243fb1bb9071178d9283b12ebbfb405c8cd4aa9
SHA512c0f1d5c8455cf14f2088ede062967d6dfa7c39ca2ac9636b10ed46dfbea143f64106a4f03c285e89dd8cf4405612f1eef25a8ec4f15294ca3350053891fc3d7e
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
212KB
MD560dba9b06b56e58f5aea1a4149c743d2
SHA1a7e456acf64dd99ca30259cf45b88cf2515a69b3
SHA2564d01f5531f93ab2af9e92c4f998a145c94f36688c3793845d528c8675697e112
SHA512e98088a368d4c4468e325a1d62bee49661f597e5c1cd1fe2dabad3911b8ac07e1cc4909e7324cb4ab39f30fa32a34807685fcfba767f88884ef84ca69a0049e7
-
Filesize
257KB
MD5c044dcfa4d518df8fc9d4a161d49cece
SHA191bd4e933b22c010454fd6d3e3b042ab6e8b2149
SHA2569f79fe09f57002ca07ae0b2a196e8cc002d2be6d5540ee857217e99b33fa4bb2
SHA512f26b89085aa22ac62a28610689e81b4dfe3c38a9015ec56dfeaff02fdb6fa64e784b86a961509b52ad968400faa1ef0487f29f07a41e37239fe4c3262a11ac2c
-
Filesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
Filesize
2.0MB
MD5965b3af7886e7bf6584488658c050ca2
SHA172daabdde7cd500c483d0eeecb1bd19708f8e4a5
SHA256d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19
SHA5121c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4
-
Filesize
28KB
MD5567aec2d42d02675eb515bbd852be7db
SHA166079ae8ac619ff34e3ddb5fb0823b1790ba7b37
SHA256a881788359b2a7d90ac70a76c45938fb337c2064487dcb8be00b9c311d10c24c
SHA5123a7414e95c2927d5496f29814556d731aef19efa531fb58988079287669dfc033f3e04c8740697571df76bfecfe3b75659511783ce34682d2a2ea704dfa115b3
-
Filesize
24KB
MD5f6c1324070b6c4e2a8f8921652bfbdfa
SHA1988e6190f26e4ca8f7ea3caabb366cf1edcdcbbf
SHA256986b0654a8b5f7b23478463ff051bffe1e9bbdeb48744e4aa1bd3d89a7520717
SHA51263092cf13e8a19966181df695eb021b0a9993afe8f98b1309973ea999fdf4cd9b6ffd609968d4aa0b2cde41e872688a283fd922d8b22cb5ad06339fe18221100
-
Filesize
26KB
MD5570efe7aa117a1f98c7a682f8112cb6d
SHA1536e7c49e24e9aa068a021a8f258e3e4e69fa64f
SHA256e2cc8017bc24e73048c7ee68d3787ed63c3898eec61299a9ca1bab8aeaa8da01
SHA5125e963dd55a5739a1da19cec7277dc3d07afdb682330998fd8c33a1b5949942019521967d8b5af0752a7a8e2cf536faa7e62982501170319558ceaa21ed657ae8
-
Filesize
28KB
MD5a8d3210e34bf6f63a35590245c16bc1b
SHA1f337f2cbec05b7e20ca676d7c2b1a8d5ae8bf693
SHA2563b82de846ad028544013383e3c9fb570d2a09abf2c854e8a4d641bd7fc3b3766
SHA5126e47ffe8f7c2532e7854dcae3cbd4e6533f0238815cb6af5ea85087c51017ea284542b988f07692d0297ebab1bad80d7613bf424ff532e10b01c8e528ab1043a
-
Filesize
29KB
MD57937c407ebe21170daf0975779f1aa49
SHA14c2a40e76209abd2492dfaaf65ef24de72291346
SHA2565ab96e4e6e065dbce3b643c6be2c668f5570984ead1a8b3578bbd2056fbad4e9
SHA5128670746941660e6573732077f5ed1b630f94a825cf4ac9dbe5018772eaac1c48216334757a2aeaa561034b4d907162a370b8f0bae83b34a09457fafe165fb5d7
-
Filesize
29KB
MD58375b1b756b2a74a12def575351e6bbd
SHA1802ec096425dc1cab723d4cf2fd1a868315d3727
SHA256a12df15afac4eb2695626d7a8a2888bdf54c8db671043b0677180f746d8ad105
SHA512aec4bb94fde884db79a629abcff27fd8afb7f229d055514f51fa570fb47a85f8dfc9a54a8f69607d2bcaf82fae1ec7ffab0b246795a77a589be11fad51b24d19
-
Filesize
29KB
MD5a94cf5e8b1708a43393263a33e739edd
SHA11068868bdc271a52aaae6f749028ed3170b09cce
SHA2565b01fe11016610d5606f815281c970c86025732fc597b99c031a018626cd9f3c
SHA512920f7fed1b720afdb569aec2961bd827a6fc54b4598c0704f65da781d142b1707e5106a459f0c289e0f476b054d93c0b733806af036b68f46377dde0541af2e7
-
Filesize
29KB
MD57dc58c4e27eaf84ae9984cff2cc16235
SHA13f53499ddc487658932a8c2bcf562ba32afd3bda
SHA256e32f77ed3067d7735d10f80e5a0aa0c50c993b59b82dc834f2583c314e28fa98
SHA512bdec1300cf83ea06dfd351fe1252b850fecea08f9ef9cb1207fce40ce30742348db953107ade6cdb0612af2e774345faf03a8a6476f2f26735eb89153b4256dc
-
Filesize
28KB
MD5e338dccaa43962697db9f67e0265a3fc
SHA14c6c327efc12d21c4299df7b97bf2c45840e0d83
SHA25699b1b7e25fbc2c64489c0607cef0ae5ff720ab529e11093ed9860d953adeba04
SHA512e0c15b166892433ef31ddf6b086680c55e1a515bed89d51edbdf526fcac71fb4e8cb2fadc739ac75ae5c2d9819fc985ca873b0e9e2a2925f82e0a456210898f9
-
Filesize
29KB
MD52929e8d496d95739f207b9f59b13f925
SHA17c1c574194d9e31ca91e2a21a5c671e5e95c734c
SHA2562726c48a468f8f6debc2d9a6a0706b640b2852c885e603e6b2dec638756160df
SHA512ea459305d3c3fa7a546194f649722b76072f31e75d59da149c57ff05f4af8f38a809066054df809303937bbca917e67441da2f0e1ea37b50007c25ae99429957
-
Filesize
30KB
MD539551d8d284c108a17dc5f74a7084bb5
SHA16e43fc5cec4b4b0d44f3b45253c5e0b032e8e884
SHA2568dbd55ed532073874f4fe006ef456e31642317145bd18ddc30f681ce9e0c8e07
SHA5126fa5013a9ce62deca9fa90a98849401b6e164bbad8bef00a8a8b228427520dd584e28cba19c71e2c658692390fe29be28f0398cb6c0f9324c56290bb245d06d2
-
Filesize
28KB
MD516c84ad1222284f40968a851f541d6bb
SHA1bc26d50e15ccaed6a5fbe801943117269b3b8e6b
SHA256e0f0026ddcbeafc6c991da6ba7c52927d050f928dba4a7153552efcea893a35b
SHA512d3018619469ed25d84713bd6b6515c9a27528810765ed41741ac92caf0a3f72345c465a5bda825041df69e1264aada322b62e10c7ed20b3d1bcde82c7e146b7e
-
Filesize
27KB
MD54a1e3cf488e998ef4d22ac25ccc520a5
SHA1dc568a6e3c9465474ef0d761581c733b3371b1cd
SHA2569afbbe2a591250b80499f0bf02715f02dbcd5a80088e129b1f670f1a3167a011
SHA512ce3bffb6568ff2ef83ef7c89fd668f6b5972f1484ce3fbd5597dcac0eaec851d5705ed17a5280dd08cd9812d6faec58a5561217b897c9209566545db2f3e1245
-
Filesize
4.9MB
MD5a502990d5df008eb385b5862f37c3a6c
SHA1e6c92247d2ec0a7e823910f096d72a661da19db8
SHA256b9a56ff86f4f6d7ca4c91aba67b55e8487dcd0c31ea75fb8664a4f28aa0411b1
SHA512ff99f05a31be147e15cbfc41d9d9f371749c61dac22c2e46d73a807376c2ef8254f87c83b0d385df8f6d6262a35d95a6ea9790dde10bbb4046ecd6ed1262cbc7
-
Filesize
3.7MB
MD5d2510e262457ba8113c7fb0f629242cd
SHA164db7cd9429b270842ec773934e41e00b857bfd4
SHA2561827067422cf96a9414ec05fa27307458eeea60e08d48525a24cf176e41436c1
SHA512fefb072a329fb4699823cab11750986f28103e69feb4a60882534ed7a7cab6d509e0ce069f5bb98b771308a2a067539f6d7b614a7607024c9c550938cb196c07
-
C:\Program Files (x86)\Roblox\Versions\version-70a2467227df4077\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
Filesize1.5MB
MD5610b1b60dc8729bad759c92f82ee2804
SHA19992b7ae7a9c4e17a0a6d58ffd91b14cbb576552
SHA256921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08
SHA5120614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4
-
Filesize
280B
MD5c94517bcdb27487d85b4133261b6a31c
SHA1f8f154165ba68a981009917e545178aa086b2911
SHA256fb682eee8da49a7f1ffc6da2cb616ab3ba55ee60145a6547cd8616e0925d7339
SHA51217e255dd8086700769c5470e24cd02b585840bb2c7d4bc409337fefc93ff21e83614e445a3530cc3bb0b52d6a31075e238784c8cb1c529dad65bd15598c1d25f
-
Filesize
100KB
MD51d387f54c0e8eb0c88dc63247d11643f
SHA155a8fabd7df307c129cc08a133c39aa554376488
SHA256c4c368c755d5f88053d9944d01469aaadac97fb2040a592d6146cf80a1e13ed1
SHA512939b1449256d3329fa6a6b7e73f524ab6430a872b3dad38b1348a3cc2e8263364683ad64acc9233e34fefe3bb061f481d32317ee92b58aa930928868cd0a4299
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize2KB
MD5b8a3e9155f3cce26002fc47b27aadf2d
SHA1606c275b884fddf4aa5507ea4045ccc8c3749583
SHA256922d6d2e6f88db3e1c365462302dd6509f95d48a0e28f4c59f496ee82aacf869
SHA512050539f8a49b35db31ae5c7cf7166953b2ba5364b5973a10f4323482daa92f74a6850a09032542f0be4b34b97b97cf6d78d3da55c42fdfa9da4ed80cbb6c3a50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_644C4AFE7F6A4CA604A4A98F3EDFB7E0
Filesize471B
MD56f7ff7cb27893eb27f0d9198f55d5442
SHA15dc0fa4feb0cbbb6eff1b1d237b5f40f5bdbb2c1
SHA2563f0611d2e39d9b2d178221ac742cd788836c3cb42b4ccee3b4cea929feca4b5d
SHA5124447a993720b9410891174033f8271cd3a7786d30b544f2ad9495db21bb873f1fe67e8c0bd699a445de049f6243f984a3fc9c568c9a48e5a21cc6f5eace51056
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize1KB
MD5218c7d1455047696e539b1babb2b339d
SHA1b9cd7ce46b66ade9b0a5e2444396929dace1f568
SHA2562761ad10ac34aba20d29dbe8560f13e7144c04350464e8ac88144835b0396be3
SHA512d690abcfab2658c40df1abb4ba6cd1f867760d5711b83339f91e0d669a6024b51bd192bb05ba3ec909dddc49ead674bf2ad0cdbee4dc6bff3118b1e1589d672a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5d2880c8237a99b270a87683705222de4
SHA114e02e07f4939698ef26a56e4ee377636b5e23b5
SHA2568fa7d1a5d4706b3ac7fc8155a5cc2c92213e5d824416bd3f0e7c1851fded4e13
SHA51267bbd513520d2f8b0736b1dcaabb7a002aec0b0b706a03739fdcf57c45fbde844bca550c1043da9094ac6a7f9e86649d72c76a7b29ef90d36262e47c402baa34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD54f71907417c370d5ba51cb3d29eb3c6e
SHA1bae827085de5ca56b1c6a5ff34e7d22b4f6bce6c
SHA256f1af602061d0e5cacf66f52a79d807528b55a2219d6360f375bf4b51632bda0f
SHA512fb5c4f2e50ae34f533ded1e6433fe5a896c6a7a443d0b9eaf9df1078ccea16d6fe1510f5cbe9cd7c8a34e542ff8e11e5169868907d04b483eccd7bb331ffcdaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize2KB
MD55f269d75d2d9906614322fb028febc29
SHA1c47c12110437106d301c5547b3c4a075f953f16f
SHA256ff7fe1ff4947c8addec0fd1d65420e634ddaae6be3934b60f982c092140dbafa
SHA512b78fde9691610252537af73f49862684a750a2d50d6ac58b9dbdd6dc0858875d8b9971ccf6345c83e7550245dfd8a6a4b4aed7ecda85564b1c944493b5c70217
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize1KB
MD5ac0252a6c8673fa50bdf2961dd6bd471
SHA1d4a096f0d135df10b1c9cdbaed123f1f0377cb1c
SHA25619122c391d8cc9a95017536b2c46b10bc80c2ee932ae4bb99bc10ac87f6ae130
SHA512899ee2c274dfef70520a25b5ac744c55c3a513a68f327ab692c8584ddf8d69a51fa5191820d6bed84bbd2e2a1b61fdccccb85b9f3d3866ed4be70e48c6ca2ca0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize488B
MD5fe67e5dd281e37eaa1a22d3383027cd1
SHA1ed5e077ec80d230f9e374c528a9c729692d28673
SHA25626ca087e53ba42a88f7dee71884dd572cae06d98a3650d64bfb5ac9245d12701
SHA5124b8260d7307d5bb87cd25a0fe8cb6fd5622486e0438f1a484d8fc5a0368809a00afad8cd744503fcfa9be104685098f252357826b5e50c7085402345608aa1b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_644C4AFE7F6A4CA604A4A98F3EDFB7E0
Filesize488B
MD584001bc42a7d1274ff24b3b582417226
SHA1ce91028f0e77b2f904e1a8c039b61199bda77191
SHA256da95d44b6f4550f9c1ac284ad8b356bc5b794fc5a9c3efdd84fff303ee2307f4
SHA5127145ec4c6e0505387e687dbb0c6af58c43f8bb43b72f072d53be50e1c0da6b1adc01450184856c0c5c01ce500d3727c14db5ace796d162437a57100f8599f5a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize434B
MD54a6a5774d91c87bde1e56eb8eade2418
SHA15e3c6e4d013edbc4ee0c9577c6d7f9ac15ec3b08
SHA25603d2b89161b67f3d36dd584aa17ccaea0da7074d1e4743cb22e409decb44f16c
SHA5128b8ab5f949f9b558d92ac52b99dd7adb730c5883d9f58b871332fbf0f1d1c1350932f7d72c6162394b400ed444debfaf03d9497d02b3522526ad4c0267e36a80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD59f30659e1a579bea6a87d9db06c8484c
SHA1faf8d268c08b09fd91543890e331ad683f900b7b
SHA2567c6ca8e8b8dbe056f954d1633904adb766389922f619ab671daaa1a9da171dae
SHA512ffd0edfeeb77356dc9c7a7aae15bd206f97eb9c6fda933f94be7568f5d9f2ddf38774594c44c14ca035df380b67e6f673d7958e0a5f7d8ddf18b84a51a015ae4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD593458643798d4800d8d11c0f9c4e5084
SHA13e46bc75ed26f96b16d65bb645753257d878bad9
SHA256d242588f39e81227fe47673658ec4781b039ffa19ee91fa5caccfad547c37a39
SHA51228309e63ebada9b75be4eb49d58357bf357fc418107d71f3a96b58006cfbcbd99be363ea5a6d397810702881eedccd69bbbb34e76dd55740e726c9a08fecbf44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD58398e6f4f1c348689e985866e424ff3e
SHA106529e5f20fb8df2e39f0e5f83d4a3d3c6ebb305
SHA2565155972b23f8e0c870202c9e86639438902ebc4c27bd83e3b86b4acb49f42812
SHA512b016d779c84f20ba680b8ea71c0859be772a17be2af42a70b40304b12c8e35fb94208c328c891b8f2000096a377f9fdbf1beabdb559ee756f3cc74eaec5a7757
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize432B
MD5c50178ef49320b774e22ec51177e5093
SHA1069d56c41cb15d3a6e2b318b965ab4a71b834fa6
SHA2566be5ed37455ace3332a1641e83d49c361158a7082e5088bafe29caf6030b5960
SHA512d11cc887b827d7f2afc0a4bf43aded2cedc869c1cc06f8a2ce81b12f9489162cc99b28c96a1474e2cf9cddcbd8ba3094510574ce7cd0af7ad9633babfb390779
-
Filesize
152B
MD5a65ab4f620efd5ba6c5e3cba8713e711
SHA1f79ff4397a980106300bb447ab9cd764af47db08
SHA2563964e81a3b4b582e570836837b90a0539e820886a35281b416e428e9bf25fd76
SHA51290330661b0f38ca44d6bd13a7ea2ab08a4065ec4801695e5e7e0dea154b13ac8d9b2737e36ebe9a314d2501b5ef498d03c5617c87e36986e294c701182db41b9
-
Filesize
152B
MD5854f73d7b3f85bf181d2f2002afd17db
SHA153e5e04c78d1b81b5e6c400ce226e6be25e0dea8
SHA25654c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4
SHA512de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971
-
Filesize
601B
MD549e10def35bef28fc8b518721f2d10ee
SHA184e0c53edfaae149d1381dd3d7a746e60e7cf4f0
SHA25656d876b651f58712c5c35043026e1c5f4bcce0e5e85b4d38cfbf19e0b7c56226
SHA51253d726096c9a2f1668807a93b9fc3f2ee9fcb811c6333bf367291f2da27d98156901e7a9aa9fc91493d118323bbc1e9d0cf7d1b64bf6ca73d3cbc7113cc9cabb
-
Filesize
6KB
MD5c82ce6e7a5e550b4b820052fbb3df1f9
SHA1ece61f6598982f99d1580a035a8da81362170232
SHA256e97f40031b3855f0b31ff89743ef0e014c90104458b3e59d98cf1bf194898352
SHA512f6a3d688348a7512d54ddba9cf94c579d262118af879e5da8cd2a1459a4e75556adc1cefd753ca131f4506a88a0512e9dd467f4c0a823e375c176713cecd21d4
-
Filesize
6KB
MD59fa0b6273722a313b4af7f8665f2c578
SHA1ee708314fd0c7040d839ce54bd5d6d2659aeeed8
SHA2562c63b9019f5ee2d9e50f86b380fdd60360c97fd75b0f17e20b2062ce898969c1
SHA5120b2b850997dc7c2d8b3788de837c369f085b17f219cf04036bbc9d19cace32cb79cb536fc78bc4fcad4e795a7e5d872f116568ea4f4fa48dd4d1c64805649a88
-
Filesize
6KB
MD5bb0475a332acef78568e2b17167dea0a
SHA1e30b9ff77d9ae25c2a48d80f24ee4d605880a3bd
SHA2562329139005ef9224cb6253c412f857ca0224def10ed89026478027c108401de8
SHA512cce9f34fefb3ce34dc72da44509139e98ff940ec1428471dbb350ba87a8b538214d9ee6a4c82c2930703e3b08435c0c85aca8c988d801c3c78027ef169678a14
-
Filesize
6KB
MD52d88af01e91a5a646c37d5094580b8d2
SHA1abe284c6c7e8e9d206eba43ee3e8742e5abe720a
SHA25691148b9f0d19e59c41054ede5a13a7b93314e68202dc3afd941075d054bcc4eb
SHA512cbcfe6e979c812c976ef9c4c0fe53232e86b91ca93459e5411b0e9c59f4ec16b8f4ee698a6a6a7b84bd02fccbb685567a357e06095ff49c7ea9ec2131d3c110a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5853399a060dd25814295c04f5aac16c4
SHA105b1a183a9372c1bdf44f88c9d915e3ef02ae8d7
SHA256d29328af05b6d0533015105629d2844ac16ff717336cff3c7f49f9c541702f5f
SHA5129c114dc5cbaea37563eaccaad7272b5bf13cbf42ad8dde00dfea47a4db5b3674d1b61a82c480b5e617faabce6cb6da5e5ee6796a4ab6fd74932f110cc78f8410
-
Filesize
11KB
MD57c556bf8032c00b31ca2b44a0320f3f6
SHA1d4712319c1636997f36ec57481a975a4f3c389dc
SHA256c8bc5bb20d40a086233742ce10b299e0005f12f5558288104af1c7b9f8bd41c1
SHA512a27440debdbb8b321adb18159e9f54447f5336f90837cbddc5f45172b2071e453355eb320cd1e45581b70b28b48e9bf5bc04418eeb3998b12d9a44ca07309900
-
Filesize
5KB
MD580f5562d56a0678d0f21382c9c701ce8
SHA19a6b7401d30bc99744535ce93fd6a07b70d57ca5
SHA256c90ff6ae2e4089e3a7153c1aef453c7b5a881c7fcbfb2ec89cb52cab3cc0a61d
SHA5120c74a4c828942f7457d69a33d65a6315c0c9a6313c764149d47f5145ecf58c76a38bfdefb45331eeeb9ca0fbf5bd92a5cce4790e4c6b318865dee36474a456fe
-
Filesize
5KB
MD5f813ed3d3deee04f1055aaad8ff12d48
SHA10a8ef18055d7cacf1c39a2103652a477940c95ca
SHA256b5ed185cea2a1443305ec950b8e1b752ee3705f1126f516e6663e07b8ac324da
SHA5124da39806cbfdfe2d82be22378db10c92446d2de2856b0e5a042927fdb489feb00d03dd979bfe4992faba27f7ad769a0d654ddce656a746968e1e919932037f46
-
Filesize
119B
MD536f9d29123e6d3ba11fc0606e118b42e
SHA1a01ab621c0a4ef112f3c8a22af45335377c6ea6b
SHA25639b4d267880abe6cbbc9db4e89152a3faec2e1f0ea9f4ee208382326f5d1bdf2
SHA5125c07a9b4abc9f9f5daddb3afad82d08f827375085cb17c645b6da321f1f27d406006ab76b47544978f9785ca195ad63cd3123ebf1ce5717adb64204a4aeda680
-
Filesize
163B
MD5bedbf7d7d69748886e9b48f45c75fbbe
SHA1aa0789d89bfbd44ca1bffe83851af95b6afb012c
SHA256b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61
SHA5127dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YJN5EL03\version-70a2467227df4077-rbxPkgManifest[1].txt
Filesize1KB
MD556391f65239bdb2eac877d841a63a964
SHA174956b20cd045ee4eb7bc07623eb43113d5afffa
SHA256184f6d4cf6105a41c4b651c2f72d7134fe01c0e5824b489b869041f96325fabf
SHA512351eec5e076340835cbe623610fe44a763071d381fb6aea07b02e7dc594c1a3f28c55afe08ffb156e03b001475049c024e390d22487d9d398094f33fa334d0be
-
Filesize
5.0MB
MD5e5d3b8a1a30406c5f0899e94020cc821
SHA137351bacdd4f8edee07dfecd1ed14fcfee18eb18
SHA2562a5b535ccd9620aff782560722a034f5a2556a11df84e9bfe62c0b84fc86228d
SHA5128003f619e281870ef33dfd775191dfd697deb7d2f0a4e0b4ce68a0b80514aa9ee6bdbae6eaaa1289030c31b2460d62b6091fb8f2cda18f41ffac6b7443d32955
-
Filesize
40B
MD59a1396e7d616a2138a853ea9fd60b08b
SHA1e530d1dfa880c9c25807f2698688deaf5ea3fccf
SHA25676e88b15bc80f139a07cfe0f9c963e550ce345134d6545526dd0f48ea698c600
SHA5124a818959534dceee244a40304517b84984b651e0ae315ca80fec452f4c0d32987b1fafcda84df1625aface52b53d9f01dd00ec9c43edd9aa134caa139bde390f
-
Filesize
6KB
MD5f204d05fc531314cec49b1546408f2f6
SHA1ebe04c0daf4bbe6914a85de81ef0a2ab3a61b885
SHA256cafb450d0b2a2f05ac722b6d553a47c1344cee9013bc670199d2d5034b20afe6
SHA5126ed306fb426a1236c8b6615cf9782425a332dee2a96b443f1755d1fde5ff1d19fc4e846b74f1f14afeea198e2453916c0f12879813c02a20c9caf81147ad9e05
-
Filesize
2.0MB
MD589d6a1fc919af40dd7f2e09c5bdad4e0
SHA1aee6eeeaecd7fb69cf3733000a26c7fa023a1833
SHA256057e8242bdaea8f67d5151b672b1511bbf0cc34064217c323e142346c47f7b23
SHA5126f3b9e51d487a4eb1fe5a2cf7b7772b81301d2e10a844e424cea008e6c79294c2774cf5cd47992c8aac53f7e3621e1637cad8adb7f58d046485125276d407f85