Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    550s
  • max time network
    584s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 14:41

General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    2.1MB

  • MD5

    a37cac76cc02bf62462a514281e29047

  • SHA1

    5b430683926059ef58df924fd87638abb2d82eab

  • SHA256

    af4f0da458195e016f0a5e395df89c36f005bf24ca1ddd68a35373ba8ff66734

  • SHA512

    c94ffc5ba4a4abddb437f46115f1eb83e3b6a51224860e337f4286edd0e8442676f3b999a28234c34f61f983cbbc2363fb953306dfe1ef98d710752e0e29ef51

  • SSDEEP

    49152:NYuRj40EoNbMp3zEKzIATbqa3q2WrT2/MyPMQ3dSIDTrb6SMg:ucjCoNbGzEKzRPbP

Malware Config

Signatures

  • Downloads MZ/PE file
  • Sets file execution options in registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 59 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Registers COM server for autorun 1 TTPs 31 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Checks system information in the registry 2 TTPs 12 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=3539e67194ee6ba0c99d6e96abe3b09d611a4794 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5e8,0x5ec,0x5f0,0x5c4,0x5f8,0xe28c44,0xe28c54,0xe28c64
      2⤵
      • Modifies system certificate store
      PID:2528
    • C:\Users\Admin\AppData\Local\Temp\RBX-56FA5E70\RobloxPlayerLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\RBX-56FA5E70\RobloxPlayerLauncher.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Users\Admin\AppData\Local\Temp\RBX-56FA5E70\RobloxPlayerLauncher.exe
        C:\Users\Admin\AppData\Local\Temp\RBX-56FA5E70\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=60fbaa906b1f866e4f443e8242ad94e1319ed1ef --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5bc,0x5c0,0x5c4,0x598,0x5cc,0xc9dec8,0xc9ded8,0xc9dee8
        3⤵
        • Executes dropped EXE
        PID:1256
      • C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
        MicrosoftEdgeWebview2Setup.exe /silent /install
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
          4⤵
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks system information in the registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies registry class
            PID:2052
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2180
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Registers COM server for autorun
              • Modifies registry class
              PID:2800
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Registers COM server for autorun
              • Modifies registry class
              PID:2092
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Registers COM server for autorun
              • Modifies registry class
              PID:2972
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REIyNjdFNDctQ0ZBNi00NDgyLUFGQjYtNUUxNzY2NDg4MEJGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGM0ZEREJDQi1BODE3LTQ4MkItQjYzMS01NjA5ODg2M0IwNDZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI5ODc4NDgwMDAiIGluc3RhbGxfdGltZV9tcz0iMjI2NiIvPjwvYXBwPjwvcmVxdWVzdD4
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks system information in the registry
            PID:3064
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{DB267E47-CFA6-4482-AFB6-5E17664880BF}" /silent
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1972
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks system information in the registry
    • Modifies data under HKEY_USERS
    PID:1132
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REIyNjdFNDctQ0ZBNi00NDgyLUFGQjYtNUUxNzY2NDg4MEJGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntERjY0NjBENi0zRUNFLTQzODQtOTU1Qy1BRjU4OEM4REZBMTZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIzIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyOTkyNDY4MDAwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:1044
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AAD068-E100-4E6D-8777-8876F904F3A2}\MicrosoftEdge_X64_109.0.1518.140.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AAD068-E100-4E6D-8777-8876F904F3A2}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2568
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AAD068-E100-4E6D-8777-8876F904F3A2}\EDGEMITMP_31D0A.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AAD068-E100-4E6D-8777-8876F904F3A2}\EDGEMITMP_31D0A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AAD068-E100-4E6D-8777-8876F904F3A2}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        PID:2448
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REIyNjdFNDctQ0ZBNi00NDgyLUFGQjYtNUUxNzY2NDg4MEJGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDQURCNTM5Ri02MUFFLTRCMjYtOEJFQS1GNjJBQ0JERjYwMDB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguMTQwIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIzNDA1OTg4MDAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMzQwNjIyODAwMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjM3MTcwMjgwMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzBjNDA4NGYzLTFiZWQtNDI0Ni1iOGVkLTIwNmNjYmU2MGUzYz9QMT0xNzEzMDE5NjAyJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVQ4c3FkUXgyaDBxS0ppUndyZkMxelZQSHolMmJKJTJiUGRLMUxTdVNPdmZHRG1oaklzM3lUQTJhQXFabDhyVGRRTFQxeVhTNyUyZjN3Y3RkV3hDaGg5SGV3dWtnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTQwNjk2MDA4IiB0b3RhbD0iMTQwNjk2MDA4IiBkb3dubG9hZF90aW1lX21zPSIyNzg1NiIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjM3MTcyNDgwMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIzNzMwODM4MDAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA5IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIzOTYzODY4MDAwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNzU5MiIgZG93bmxvYWRfdGltZV9tcz0iMzEwODgiIGRvd25sb2FkZWQ9IjE0MDY5NjAwOCIgdG90YWw9IjE0MDY5NjAwOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMjMyOTIiLz48L2FwcD48L3JlcXVlc3Q-
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:2256
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {EE93F31B-741E-462D-9502-853C1E65DC8D} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
      PID:268
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1944
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      PID:2356

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\109.0.1518.140\MicrosoftEdge_X64_109.0.1518.140.exe

      Filesize

      134.2MB

      MD5

      2351a10f63322e5c3ee8f44f4d0d6bba

      SHA1

      64012bc2d19c899c466b473f1984800870ec2fda

      SHA256

      70d496873a0a1ca14ae0a038d25856b2121b1b4b7bad9801ce639b144bac41f8

      SHA512

      692c0c9b9ed5bc8aaf0c751b9faf60729af79365781b51237e8dd57b57c49459d83dc2c44b093bca4092519d4c9ae712dab8073a7fe63245e405f17164b3c1d2

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2448_11631411\109.0.1518.140\Installer\msedge_7z.data

      Filesize

      3KB

      MD5

      bd70ed26e6e6f3193043ac09c58c6a1c

      SHA1

      d733a65e17f2851d5116598dd80533efc1656468

      SHA256

      7a474217d20b9a6fe3c3a46c0d6d5b2d2040fa790663f6da9202ee7cb07bb448

      SHA512

      3e2ecade6d687b0736d5eafd7527b24095b9c51f0c8ba99398b23da2d8843c49fc8c1fa37190d385b504d8224c8c517d78d44ae32e10e45d54b19477a6970756

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2448_11631411\109.0.1518.140\Installer\setup.exe

      Filesize

      3.8MB

      MD5

      3a92a61a6e01c80ecc7d9499abb901b7

      SHA1

      d89d05802d937f9c71ced14282b8a19623fca7c8

      SHA256

      b70b2ed82c7afde8003983992b74f8182f55080b43da3d96dd29e8c0c7e8b47e

      SHA512

      3867efbd984ddd1eec084c70a42104cbc0057c3bed222af8963051779b612b46bf4cea3311452f6564513d7558d49a1e66a9473ad53f1b2fb4c43a9d7d0fb47d

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\EdgeUpdate.dat

      Filesize

      12KB

      MD5

      369bbc37cff290adb8963dc5e518b9b8

      SHA1

      de0ef569f7ef55032e4b18d3a03542cc2bbac191

      SHA256

      3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

      SHA512

      4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\MicrosoftEdgeComRegisterShellARM64.exe

      Filesize

      179KB

      MD5

      7a160c6016922713345454265807f08d

      SHA1

      e36ee184edd449252eb2dfd3016d5b0d2edad3c6

      SHA256

      35a14bd84e74dd6d8e2683470243fb1bb9071178d9283b12ebbfb405c8cd4aa9

      SHA512

      c0f1d5c8455cf14f2088ede062967d6dfa7c39ca2ac9636b10ed46dfbea143f64106a4f03c285e89dd8cf4405612f1eef25a8ec4f15294ca3350053891fc3d7e

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

      Filesize

      212KB

      MD5

      60dba9b06b56e58f5aea1a4149c743d2

      SHA1

      a7e456acf64dd99ca30259cf45b88cf2515a69b3

      SHA256

      4d01f5531f93ab2af9e92c4f998a145c94f36688c3793845d528c8675697e112

      SHA512

      e98088a368d4c4468e325a1d62bee49661f597e5c1cd1fe2dabad3911b8ac07e1cc4909e7324cb4ab39f30fa32a34807685fcfba767f88884ef84ca69a0049e7

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\MicrosoftEdgeUpdateCore.exe

      Filesize

      257KB

      MD5

      c044dcfa4d518df8fc9d4a161d49cece

      SHA1

      91bd4e933b22c010454fd6d3e3b042ab6e8b2149

      SHA256

      9f79fe09f57002ca07ae0b2a196e8cc002d2be6d5540ee857217e99b33fa4bb2

      SHA512

      f26b89085aa22ac62a28610689e81b4dfe3c38a9015ec56dfeaff02fdb6fa64e784b86a961509b52ad968400faa1ef0487f29f07a41e37239fe4c3262a11ac2c

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\NOTICE.TXT

      Filesize

      4KB

      MD5

      6dd5bf0743f2366a0bdd37e302783bcd

      SHA1

      e5ff6e044c40c02b1fc78304804fe1f993fed2e6

      SHA256

      91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

      SHA512

      f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdate.dll

      Filesize

      2.0MB

      MD5

      965b3af7886e7bf6584488658c050ca2

      SHA1

      72daabdde7cd500c483d0eeecb1bd19708f8e4a5

      SHA256

      d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19

      SHA512

      1c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_af.dll

      Filesize

      28KB

      MD5

      567aec2d42d02675eb515bbd852be7db

      SHA1

      66079ae8ac619ff34e3ddb5fb0823b1790ba7b37

      SHA256

      a881788359b2a7d90ac70a76c45938fb337c2064487dcb8be00b9c311d10c24c

      SHA512

      3a7414e95c2927d5496f29814556d731aef19efa531fb58988079287669dfc033f3e04c8740697571df76bfecfe3b75659511783ce34682d2a2ea704dfa115b3

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_am.dll

      Filesize

      24KB

      MD5

      f6c1324070b6c4e2a8f8921652bfbdfa

      SHA1

      988e6190f26e4ca8f7ea3caabb366cf1edcdcbbf

      SHA256

      986b0654a8b5f7b23478463ff051bffe1e9bbdeb48744e4aa1bd3d89a7520717

      SHA512

      63092cf13e8a19966181df695eb021b0a9993afe8f98b1309973ea999fdf4cd9b6ffd609968d4aa0b2cde41e872688a283fd922d8b22cb5ad06339fe18221100

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_ar.dll

      Filesize

      26KB

      MD5

      570efe7aa117a1f98c7a682f8112cb6d

      SHA1

      536e7c49e24e9aa068a021a8f258e3e4e69fa64f

      SHA256

      e2cc8017bc24e73048c7ee68d3787ed63c3898eec61299a9ca1bab8aeaa8da01

      SHA512

      5e963dd55a5739a1da19cec7277dc3d07afdb682330998fd8c33a1b5949942019521967d8b5af0752a7a8e2cf536faa7e62982501170319558ceaa21ed657ae8

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_as.dll

      Filesize

      28KB

      MD5

      a8d3210e34bf6f63a35590245c16bc1b

      SHA1

      f337f2cbec05b7e20ca676d7c2b1a8d5ae8bf693

      SHA256

      3b82de846ad028544013383e3c9fb570d2a09abf2c854e8a4d641bd7fc3b3766

      SHA512

      6e47ffe8f7c2532e7854dcae3cbd4e6533f0238815cb6af5ea85087c51017ea284542b988f07692d0297ebab1bad80d7613bf424ff532e10b01c8e528ab1043a

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_az.dll

      Filesize

      29KB

      MD5

      7937c407ebe21170daf0975779f1aa49

      SHA1

      4c2a40e76209abd2492dfaaf65ef24de72291346

      SHA256

      5ab96e4e6e065dbce3b643c6be2c668f5570984ead1a8b3578bbd2056fbad4e9

      SHA512

      8670746941660e6573732077f5ed1b630f94a825cf4ac9dbe5018772eaac1c48216334757a2aeaa561034b4d907162a370b8f0bae83b34a09457fafe165fb5d7

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_bg.dll

      Filesize

      29KB

      MD5

      8375b1b756b2a74a12def575351e6bbd

      SHA1

      802ec096425dc1cab723d4cf2fd1a868315d3727

      SHA256

      a12df15afac4eb2695626d7a8a2888bdf54c8db671043b0677180f746d8ad105

      SHA512

      aec4bb94fde884db79a629abcff27fd8afb7f229d055514f51fa570fb47a85f8dfc9a54a8f69607d2bcaf82fae1ec7ffab0b246795a77a589be11fad51b24d19

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_bn-IN.dll

      Filesize

      29KB

      MD5

      a94cf5e8b1708a43393263a33e739edd

      SHA1

      1068868bdc271a52aaae6f749028ed3170b09cce

      SHA256

      5b01fe11016610d5606f815281c970c86025732fc597b99c031a018626cd9f3c

      SHA512

      920f7fed1b720afdb569aec2961bd827a6fc54b4598c0704f65da781d142b1707e5106a459f0c289e0f476b054d93c0b733806af036b68f46377dde0541af2e7

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_bn.dll

      Filesize

      29KB

      MD5

      7dc58c4e27eaf84ae9984cff2cc16235

      SHA1

      3f53499ddc487658932a8c2bcf562ba32afd3bda

      SHA256

      e32f77ed3067d7735d10f80e5a0aa0c50c993b59b82dc834f2583c314e28fa98

      SHA512

      bdec1300cf83ea06dfd351fe1252b850fecea08f9ef9cb1207fce40ce30742348db953107ade6cdb0612af2e774345faf03a8a6476f2f26735eb89153b4256dc

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_bs.dll

      Filesize

      28KB

      MD5

      e338dccaa43962697db9f67e0265a3fc

      SHA1

      4c6c327efc12d21c4299df7b97bf2c45840e0d83

      SHA256

      99b1b7e25fbc2c64489c0607cef0ae5ff720ab529e11093ed9860d953adeba04

      SHA512

      e0c15b166892433ef31ddf6b086680c55e1a515bed89d51edbdf526fcac71fb4e8cb2fadc739ac75ae5c2d9819fc985ca873b0e9e2a2925f82e0a456210898f9

    • C:\Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_ca.dll

      Filesize

      30KB

      MD5

      39551d8d284c108a17dc5f74a7084bb5

      SHA1

      6e43fc5cec4b4b0d44f3b45253c5e0b032e8e884

      SHA256

      8dbd55ed532073874f4fe006ef456e31642317145bd18ddc30f681ce9e0c8e07

      SHA512

      6fa5013a9ce62deca9fa90a98849401b6e164bbad8bef00a8a8b228427520dd584e28cba19c71e2c658692390fe29be28f0398cb6c0f9324c56290bb245d06d2

    • C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

      Filesize

      5.6MB

      MD5

      ae62ef723642e510c8b4947b4282ab7b

      SHA1

      81077adc6aa8bec313449ba3f6a9ace7215686b0

      SHA256

      f99809b75bf1c380dc7b84c64fcf91e450e3d1658a0b4697691655bd242d9a23

      SHA512

      ba7a35557269abdc921e2f0180577ef30bea4a3379bca47f97a331ad0aaa14214c0f8665a696615f82b00ea6b31d07fabfc802af5606e9238b15b430a9d3f358

    • C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerInstaller.exe

      Filesize

      5.3MB

      MD5

      666f69bae6e56a62b7af6cb8496f677f

      SHA1

      ae052de936deeebe5fb8d8c059eb84fa38707c4d

      SHA256

      586adc8fe02d5ac562fbc338df3555732d9d0b77db7cad306aadec22447ce6f8

      SHA512

      ee479171bf4dbc0b7d690202e0a6c09ba88cac1a1a34e4f115c9d0c65f1ca752cf3d180d6047fa1066da933a48e8cac070d4f1dceec8abfd8ee1ab3590ff50ee

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

      Filesize

      14KB

      MD5

      16c23f4c31a2ce2ac264b6405141a00f

      SHA1

      aec00350caf017c7733888a6cfb3e039f301b99c

      SHA256

      32d9334d8efa458a2bd230aaf5d89954a5079f463c3665c0fc0cddedca2dd753

      SHA512

      1707915c5178e5ca6f920c10e684e9d9e79b075401f1b7f7e5a650152537953ad09fc43d0b424e5354fb0625e0b89ad31fcf736cd57b2aeb734899b20cee3477

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

      Filesize

      2KB

      MD5

      4bde18d2f5b811fed86d03d6adc8286e

      SHA1

      63b6992b87267f42e1ce495db1fe41f0217db09c

      SHA256

      213737f3914c8d8ab9addf3452701855be5f6ac138ed962b29f16c5f250977fb

      SHA512

      4734ae474878ced5b76b998bf25f73eacf4a417443506e5e89bd05e4f847911dfdca56462270fd3a2c7e97f45bec210ae5347c722bf4d1ba682e2fae84496ca2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      914B

      MD5

      e4a68ac854ac5242460afd72481b2a44

      SHA1

      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

      SHA256

      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

      SHA512

      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

      Filesize

      1KB

      MD5

      3cba3b57f5faeaac18f660bdf00f7c25

      SHA1

      21104b4abf6134c895f1f6d8148496e18724fd2c

      SHA256

      391b2b7685c0962929b65eb56682acc677f4ed5d093333f8e45d3e499bd820b9

      SHA512

      e910a1fa6add17de6344dec2e106a224869e78a75ca50fed99b5f502847f52f7bc790b8a2d3a56f56ccf03abcba5715fe20c284cddb1a78382c48bf790902e64

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      1KB

      MD5

      0edd390a9ee9f40e466c803a9b62ea8a

      SHA1

      614a61309859badbae8df3fd3cfda54762e2cae8

      SHA256

      c3fd50b460eda0bdb628a07078dc6902f9b5446216e12b900015e46f7306563b

      SHA512

      277b4bd3bb8823936d18fb9efb12261e579d1ba454a56285ff8160739656f7c8af3fb42ae9e8986290d8de055e0bc65c81fc5296afe36a8bb716858d6fd8b51a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

      Filesize

      471B

      MD5

      cb5c1b37e863532e1725fcc3a1e0d41a

      SHA1

      687e809d67ab00d0186dbc94f32360b63337cf0b

      SHA256

      947cd125806704ac752b9d72cb6ea5af1f5c689c38c59e7c537445514d29540b

      SHA512

      34d428d756784c117b99617f9746c8ba5afe300170487334804b062e6452cffdfb0430074a6dd935c1611f3bceaf8a5ff37d72affede65a0b9ffa3d5e422f98a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

      Filesize

      2KB

      MD5

      074540d391479062c54a478d16da061f

      SHA1

      ba64224663e926ecae58b176761781d8054a20ca

      SHA256

      11c087265ef3d54c00d7c6f52b8024be61ce244360cff0f6498ec9b3c2f263ae

      SHA512

      acf7a0911930cb02ddb398576f8a5ba2e69f6560e0c9cf55d152506910444b97bab47878658f325b3c52310e0ad235392141f7884beb673e091b272a60c0d9dd

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

      Filesize

      1KB

      MD5

      0f3734364fd6107c3897385bc7d689c8

      SHA1

      f4ec874e00d858d7aecf101a53de3309013ecc0c

      SHA256

      7f172daab6977a3636f0ae6d7e2cceb88429b293d3ccec22e556c003466938bb

      SHA512

      82f855cc3b28beced973dc5fe0e7190cbb5d5d399f9093cc9f4b63bff4becc502410f063fa3f98ca82010b4a6ba529629fca59b8995d91793df52df18586898c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

      Filesize

      488B

      MD5

      72bd370216cdda30e251561440c88bae

      SHA1

      2874289b1345fc938265fd3d4da5a4d6d2cabb81

      SHA256

      d39c8427c5c3ff4d69ca7b59a5209a05ad530242f997138233c18b40c0851963

      SHA512

      6f9c24e5a61087f9757a1c570b793b3d9217f47dde5c0a075e36ff1a8053fbfeeebc02434a5f01efaf6152167af626439e8238717cc21ce82cd89a4ecd9c87fc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      252B

      MD5

      e1f5c52056db20d755ccdc0ce9fcf119

      SHA1

      6cc9cd9aae35a5163cef5d2e093607ffd1b99806

      SHA256

      dd8dba21ce04f94ea17bde4ba797ec81e68b915aff8dc58e2180230bfb05af1b

      SHA512

      b0683e5a2eac460764bedd05aecb79474c4b45798547cbbe043c10066ae514c5f4ef212ab27fd0ee9ebdb598512bf7bf6b0b289ac7ec28c310426009b92263a2

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

      Filesize

      434B

      MD5

      00036724937bdfcd8c827c81ef768e2d

      SHA1

      218b02aad1f7aed4d4b37c1a6139c0b6ba652388

      SHA256

      f0bf124a3d32fad3bfdb4ba75ce0824636c24f475f949817810036beac6829a9

      SHA512

      1f3ef2a7143d97bd2af4bd2dd6a2eb1d135d7bafc774d9ec6a3cf8660cbda6360adda96d185baa2bd00d5df7aa4d36d986ed260f77278f227e25fc30dac7eb82

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      99163eb7eadfbd5ef7be53ee870829da

      SHA1

      824e0a5724c4e68b0dee042dbd64715297d30a90

      SHA256

      e0451333b91b4dbbb0722a62b12446a8b419a69a5e5999ea4a89aaebb4cfc12d

      SHA512

      744d06376724aa435ccfac4a699d30362e46062ba9a28375b325081f93094c9b6b56c77b442690d3dd402c252d298b34664ca50b0988a7f6494924209d276b01

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      fb3a51c19ec7c64e91543931ba2c4348

      SHA1

      d4d2760750e20b859138ca63478a52d17d97f7f2

      SHA256

      5de3dca634c6105118a432b48713a5e768bec34cc8687ec7ac44a61f2a8facda

      SHA512

      a5f8c0a9309b7bf250dda0683feb730479feee66b584d17740eecfac241f6da1dc2cb2763260701a29e39c6c14ca4541886292531b8d34d3f18d87e4b07cfacf

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      9bf7d6d3386e0177e8b2c48ae80784c2

      SHA1

      daa69fbc38a500e791ce879e6eae3b80d2ccb942

      SHA256

      022849b848896017452352e2a3d526416179e314284d21d4b86c68feaeb234d7

      SHA512

      550c8adb9dac7029533520b1af8f796262c4c866a7f2c03a85523ed83ae3476c12511820adb58b1fa2b3ce1be6df5301f0882da41d0ab60782ec12ef3388da4a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      5fd1ae376f9fd4931685b1a5011552de

      SHA1

      599d77d8f91631dab74d2c543bc4a8d8a6268f49

      SHA256

      3fe8625c3c4eb46d75809dbe100dd8ed63cf6a3e192a9aa27d7b7102122e1e98

      SHA512

      745ca153ebff308549b01d26e3ebaa1f8a4b6eab9a1210238a33e7c1ffabf136be68e7f9e525852612b1e79e788cf0a28f783777884f008141239ff031e38b7f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      dd4aa5013e6816a86c30580d61c26e11

      SHA1

      dc7cb798a359d23ff23282b44f0cc581682ea961

      SHA256

      5701aa1b5ad5d13f345f77d7cb18505d89971fd5809070b9ef01f859e117f978

      SHA512

      74df934fdd672015c5506c449a83abd9e413dfaf542c3009d766008babf9cea63a92c93eed82eceae62273a2e7123a341a09d7c6dcab79516ae6cc148ee094cb

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      9d5bff9f32bc879c8f3fda624c746fdd

      SHA1

      35d7a1462a3b0a9711cc83ccaca63ba01de741cc

      SHA256

      6ed27df6f5af18d09bd877ceef7cc2f89be07f00473eb9ce705653430aaea552

      SHA512

      60500856a96803eb2a102a35dd5ab079d216c446e50b61e457032f97c0ccc6c45b3a40fc53c1fe5f76cae3cd783c74e6eba81b2cad3c5f1c5f342186dc345a07

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      ea7a8bcd620e6cf10ce37219e88c1349

      SHA1

      47123d3cbe5edf620847db4a3d2534303cbae639

      SHA256

      af801c07ac03411405e60c3a4bd6c405c15e261accfda9a1fac1c29f1b32ca91

      SHA512

      89177dca074a7d47909255be3192b0cea74a9e376202a9ffc56c76148e6870e63c151fd6c46f8603052fc7fafefcdf82261cc72fea87d1940a1a787cb6ac8f74

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      482B

      MD5

      9a4bacfc5749f74f20fe7b5eec33cc6d

      SHA1

      d8d290372535768f66e75228feebf91172ef23c1

      SHA256

      2914fb8f0745f686597978f7f932445322871646c2868e2d4b83404b7dae5502

      SHA512

      ad1c2948b4e7e5de0ae03d77924848dccead2f004a03bf844b70267716ae1b16c4a1453d29e9caeec366f338ee8e041c74703daea95816fa237d522b5ab82675

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      482B

      MD5

      dc784a1dece2f7c1e8682ab176dc73f1

      SHA1

      9a950b23c57b903f3789106ad00ce1780d0df7bb

      SHA256

      ef160f8879b87fa44ad0f380d8b2ce16abf3eca26fc41a82b63fc4a37c457011

      SHA512

      0e0e2a6c8e8e6cfa2e4e0b17c7d401c18fdff5f51f539fb1962e8b9ff2e2211546e3d94fac809dcab7e7ac53678dbad2fc96d49abd0a57a536638b95dccff95d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

      Filesize

      400B

      MD5

      f00e3a409043b43413406e7678911854

      SHA1

      3a752b5957887cd481d4001c2f67b4251797e449

      SHA256

      fbc835650983e9539406d75838ad44886bf704b34bce2d48de21f0e1c99aa73d

      SHA512

      608afd9ea055d1c4ad272bcd0687e6863c02bd1be63653394ef92c7f74e55c59a34f1319ed537b381632a35eb4df2fd6652c3566f7202457789d0719d5717b70

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

      Filesize

      458B

      MD5

      196aad6fa0dd457f960fbcdfa1663956

      SHA1

      95a958d2145e0d86d1b8b79dbe4768604cc37fdc

      SHA256

      fc675d03fb5c73a7b905050907285d0220d3cda24fed8536320ff0cca6e69acc

      SHA512

      f3bb1b3d29f88ada3dd03ba5525f5eeba2eec49fba17fdf026366f6bd1f9c6b148fc9b307402ae10576de871dcd533f924e351692b84a6d50d2dbf6b257f5e87

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

      Filesize

      432B

      MD5

      19fc2a95bd45710e1e242dd4fd15df14

      SHA1

      b48f3ddb23a44fa45d8272ac0d59834e79b6e92f

      SHA256

      d1eb4e17e07000aaf8f58170749a22a3d0970fe4f2b0d2dbf0a9b481ac1c0fba

      SHA512

      1d1d3d55b14aca59dd3f76d057976e3d1e54896f314bc6433ed146a0e8b923e09c95ce0133cc88c3ddfff22e1fb9d3cf06e88c3e77184b838be790a1f4ce66b0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      3da15a800e125464fb873457761a4d93

      SHA1

      3c866799b068fb2ca19b0832dcc0882b99f06dce

      SHA256

      153c8d06b4b2315a3d3afb42dce7f94e1ad877f4f663085334d623e5fe8f30a8

      SHA512

      83c9edc6682e35866b3b84fd65c085008206956f5df8426835f21a3c11e045467b5a2a2b50663938d2f0f844157b27273663ad7caed2a1adf30c1c3dfaaf9719

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75OMIGJ7\version-8764cc9c84a5459a-rbxPkgManifest[1].txt

      Filesize

      1KB

      MD5

      1c7b214e4eca77fde043a5e29bcfb295

      SHA1

      260a3512f06fe20b5838895fec47883efae9f758

      SHA256

      3f3ac87c23d98322c7a3faa1a9fad14da9562aacabd06daef9e6960ae9e23b94

      SHA512

      56226c74cff52bcaad4665dbae01ac1d0be55fdd0fed457544b46fab07100bd7d35955fe0e8f526188a09fb67ab10469f01761df30a60c22f2722c607be3a658

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B4HDT8MX\WindowsPlayer[1].json

      Filesize

      119B

      MD5

      7a4f61c16994714c7d10abd10576f64d

      SHA1

      51a9595244bf96fcbef153cde2606d9cd4762384

      SHA256

      ef0f0903449e72b1bb72ad78f8a313b43863736996f08934f433f27c7c3672af

      SHA512

      4988214e504492db493af674dc07bdaad0e41fe780129a3669524dd9474a383f74bd30742cc6b8bd02fdd1dc247a5cdcfd4b8e2f307a5465378d6252c8bff862

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTT6L9LH\PCClientBootstrapper[1].json

      Filesize

      6KB

      MD5

      cba4e37d2b13f0efe66a96453122d494

      SHA1

      a68d460683eea5ef3cd5c0003bbb46354652f7f0

      SHA256

      614dc46ab69f5f07992be9e4df35228d39ca43423fa2e52767822c3d0572fc05

      SHA512

      ee1cecfe66642e203b1f5e0e29e95631c628b5231d04097f82c8377ee622bbf710a1c492700f997a4c47a508007073307458748b4513816d95b475a77cc916b1

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2GIJQ9P\BatchIncrement[1].json

      Filesize

      163B

      MD5

      bedbf7d7d69748886e9b48f45c75fbbe

      SHA1

      aa0789d89bfbd44ca1bffe83851af95b6afb012c

      SHA256

      b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

      SHA512

      7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

    • C:\Users\Admin\AppData\Local\Temp\Cab63E3.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Cab64DB.tmp

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar6501.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

      Filesize

      40B

      MD5

      a7b3186e2e7aa80b683580d1f5ebccb0

      SHA1

      ecdfbea4153029d97bf460f320dd64ad9d4dc482

      SHA256

      73f221c53f9d2c5ebfdbeb18f1b89fb9bd29629fa1d40bc0e831b203def2608a

      SHA512

      9f125e751254d78d5b251a67c7ff3d34ebfcf099bfc4314e63afbd5a1355347fb41a1c172edd8eb91bbddb2aa440a23050f5b2d51034f1d1a4b28efb366a366c

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      252B

      MD5

      2c2f7b98e24e4aaf4fc105f2c0533c0c

      SHA1

      a29c57d9f86c6094f65863551b2dc8446e3c346b

      SHA256

      9d7575d9975ece8947278121f05b080bf92825f6e3c38fee8449959e5a37e3c4

      SHA512

      f9e14afcd03ae27cdea25f88773c7863e2bbe94c5e96921180123077e3b0b0acbc10b30f829b188f5c867bf67c7a62fbfe61bb01f1c2421f2e98f94b97e30693

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      8867978ffd6c77ad9a374f6060dec095

      SHA1

      52a7a29dcc54d8327f3c5032e7ecacf7abbf3327

      SHA256

      94a7c5a05072286bcc106e4b50a4671f359556ea6b05adec746b25296fe8376d

      SHA512

      5adcbfeddf1495c0115b85f3cc19052afbea4f9ecccadca19b6abd5cd6819155e7218619b46e96697de4e0b6a830cd2231b172332e0d05f10d4920ce46392730

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      f7c136498bf153d06a072833f9c806f9

      SHA1

      e34df732fba49a9beb5f3ac22bbb4685bb137336

      SHA256

      a6d6ad892f14a43638d0228ed356ef1fa3d059b6961b8a1582aae8f16dc1fd95

      SHA512

      2c386c30b83dbd0a4c27e6d4ca91706ed8a8f3d983d3571885f7831919f5ba57054c0b147d15415eaafbbb5c64e2c78975ad7f7359ecb6548eedb18e718e4f4c

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      b70aebf9be3ab303e73940bdd5fb5bf3

      SHA1

      a65318c276454ce574edcf1a2bfbfa545dc8a024

      SHA256

      ded34968797487ecbc1bb629f7f04e1d31168088293088ae492fdeec2c2791c0

      SHA512

      ddbc5e8e5637449bc917396e604efd8ab6355ac5a7a88f3789821a70852f7e772ff680f7c9f40f6d552f60d6cbc3a317c4426f7c9c469e78085327eb49fa5e7d

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      f6277ab7eb320e23aa63dc914fefeb6b

      SHA1

      ae9edef86dde9a9ba7e1d61835296e82edd22a7b

      SHA256

      8e32afe829cb0c847ee4cc89a7e026e1ce1294bf09d7d90f005147d9d5205148

      SHA512

      67b8772409a39a68378d57585ad143dfc0287b5642b2448fa6d78fe8775739d684c0e8c12536f9d067fc3567e9e9f7416f584d8a31b36aaa200ed7b05296466d

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      0432978dfc8eaa8d83e6687714af1a07

      SHA1

      8009ed8dbe648b750c2526c48e10cefefd2633a7

      SHA256

      a6b9dec25ad455608ba62764f638de01be26a8592a171bb6fd03cef023937ef0

      SHA512

      c622eec518ca43fc55dc6c936e592aeb9343a79016de4a2cc260c093fccab48d7977034810e7fe17a5bb202a4ae097810aa94810adab33e3d4c172618aeb9e1d

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      ed67c4fe2783889e9952022010ef7497

      SHA1

      29a839f1eda6deceeb1f9954f2398a02f975c6dc

      SHA256

      f36544e9a6355eb4a1dbb38296b272de747d004f38411667051178c018cc00f8

      SHA512

      0b3d03029641b314f71f0c8731b64592892c51ae8e7b69732639df30170efd6453e1da810c202375e079987c512b2c3338c71b71377b010714d78486fdd4322a

    • \Program Files (x86)\Microsoft\Temp\EU98A7.tmp\MicrosoftEdgeUpdate.exe

      Filesize

      201KB

      MD5

      4dc57ab56e37cd05e81f0d8aaafc5179

      SHA1

      494a90728d7680f979b0ad87f09b5b58f16d1cd5

      SHA256

      87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

      SHA512

      320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

    • \Program Files (x86)\Microsoft\Temp\EU98A7.tmp\msedgeupdateres_en.dll

      Filesize

      27KB

      MD5

      4a1e3cf488e998ef4d22ac25ccc520a5

      SHA1

      dc568a6e3c9465474ef0d761581c733b3371b1cd

      SHA256

      9afbbe2a591250b80499f0bf02715f02dbcd5a80088e129b1f670f1a3167a011

      SHA512

      ce3bffb6568ff2ef83ef7c89fd668f6b5972f1484ce3fbd5597dcac0eaec851d5705ed17a5280dd08cd9812d6faec58a5561217b897c9209566545db2f3e1245

    • \Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

      Filesize

      1.5MB

      MD5

      610b1b60dc8729bad759c92f82ee2804

      SHA1

      9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

      SHA256

      921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

      SHA512

      0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

    • \Users\Admin\AppData\Local\Temp\RBX-56FA5E70\RobloxPlayerLauncher.exe

      Filesize

      5.6MB

      MD5

      f54b7571f1901e471133d4723140048a

      SHA1

      1076f97284ecb4e0b53be62af0c8de7bcef507f1

      SHA256

      32182938735b51764cb2b4f788a5ee316fbd56581aecb9698a77470981392b71

      SHA512

      df79b7b13d24e9f3c2fb8b62c58eb06e69f0dff88ecfe57190df1118f0c4e800dee7e6f10db41140c42bbf689405ba2a44f37521ba30679c866c195ef9732b2f

    • memory/1944-2600-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

    • memory/1972-596-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB