Malware Analysis Report

2024-10-23 21:28

Sample ID 240411-1qw24ahe6s
Target Client-built.exe
SHA256 356fcec1d7e8ef7c51fa311d1e3013915aca1a44a586cf872abd5bcb927f6319
Tags
office04 quasar spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

356fcec1d7e8ef7c51fa311d1e3013915aca1a44a586cf872abd5bcb927f6319

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware stealer trojan

Quasar family

Quasar payload

Quasar RAT

Checks computer location settings

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 21:51

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 21:51

Reported

2024-04-11 22:00

Platform

win10-20240404-en

Max time kernel

405s

Max time network

406s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "77" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "54" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "110" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2b03cc8a5b8cda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "56" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "13185" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{A03AA32E-FB53-43C5-BFFC-43F25F82F720} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f4f2ec835b8cda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 35edfe835b8cda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "21" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "21" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "54" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "54" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\roblox.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "56" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "13185" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "13185" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 058913845b8cda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1020 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1020 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe
PID 1020 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe
PID 924 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe C:\Windows\SYSTEM32\schtasks.exe
PID 924 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe C:\Windows\SYSTEM32\schtasks.exe
PID 924 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe C:\Windows\SYSTEM32\cmd.exe
PID 924 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe C:\Windows\SYSTEM32\cmd.exe
PID 3812 wrote to memory of 3176 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3812 wrote to memory of 3176 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3812 wrote to memory of 2428 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 3812 wrote to memory of 2428 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5084 wrote to memory of 4932 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 2632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 2632 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4932 wrote to memory of 3712 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "AntimaIware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe" /rl HIGHEST /f

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SYSTEM32\cmd.exe

"cmd" /K CHCP 437

C:\Windows\system32\chcp.com

CHCP 437

C:\Windows\system32\ipconfig.exe

ipconfig

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.0.1400313502\813861642" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1da5833-7381-4f6f-a6c7-45ebc221f67c} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 1796 14da26e1358 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.1.605949834\1685684191" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5610aaa-7a24-46b6-b0e6-f341b46bf0ee} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 2152 14da25fa158 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.2.777629894\900811024" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2808 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da460588-37e6-412d-9e67-1527b1d7aadd} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 2704 14da66bf258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.3.1508426383\596075535" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d64cf5e8-7a32-4b3e-9398-e9708c507766} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 3492 14da513de58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.4.1368444818\1880599983" -childID 3 -isForBrowser -prefsHandle 3208 -prefMapHandle 3204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bd2e6db-3ef9-4bac-ad5d-732c2d7423e1} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 3864 14da7bfc658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.5.1793533430\1973727474" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4888 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0874998e-6d2b-478f-a5a2-986495d23dca} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 4896 14d97668458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.6.1228192944\1205408542" -childID 5 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d761117-5167-4674-81bd-9f48176e5916} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 5024 14da8b08e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.7.335325029\2130908228" -childID 6 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae9ed82a-fc6f-49e1-89bd-801b54f3ce2b} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 5208 14da8bf4558 tab

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3ab3055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 us1.localto.net udp
US 162.212.154.8:44771 us1.localto.net tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 8.154.212.162.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:49814 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.239.14.124:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 124.14.239.44.in-addr.arpa udp
N/A 127.0.0.1:49821 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 79.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.201.110:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.201.110:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 roblox.com udp
DE 128.116.44.4:80 roblox.com tcp
DE 128.116.44.4:443 roblox.com tcp
US 8.8.8.8:53 4.44.116.128.in-addr.arpa udp
DE 128.116.44.4:80 roblox.com tcp
DE 128.116.44.4:80 roblox.com tcp
DE 128.116.44.4:443 roblox.com tcp
US 8.8.8.8:53 www.roblox.com udp
FR 128.116.122.4:443 www.roblox.com tcp
FR 128.116.122.4:443 www.roblox.com tcp
US 8.8.8.8:53 css.rbxcdn.com udp
US 8.8.8.8:53 static.rbxcdn.com udp
DE 18.173.154.94:443 css.rbxcdn.com tcp
DE 18.173.154.94:443 css.rbxcdn.com tcp
DE 18.173.154.94:443 css.rbxcdn.com tcp
DE 18.173.154.94:443 css.rbxcdn.com tcp
DE 18.173.154.94:443 css.rbxcdn.com tcp
DE 18.173.154.94:443 css.rbxcdn.com tcp
US 8.8.8.8:53 js.rbxcdn.com udp
DE 18.173.154.126:443 static.rbxcdn.com tcp
DE 18.173.154.126:443 static.rbxcdn.com tcp
US 8.8.8.8:53 roblox-api.arkoselabs.com udp
BE 104.117.77.192:443 js.rbxcdn.com tcp
BE 104.117.77.192:443 js.rbxcdn.com tcp
BE 104.117.77.192:443 js.rbxcdn.com tcp
BE 104.117.77.192:443 js.rbxcdn.com tcp
BE 104.117.77.192:443 js.rbxcdn.com tcp
BE 104.117.77.192:443 js.rbxcdn.com tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 4.122.116.128.in-addr.arpa udp
US 172.64.154.86:443 roblox-api.arkoselabs.com tcp
US 172.64.154.86:443 roblox-api.arkoselabs.com tcp
DE 18.173.154.94:443 css.rbxcdn.com tcp
DE 18.173.154.94:443 css.rbxcdn.com tcp
US 8.8.8.8:53 94.154.173.18.in-addr.arpa udp
US 8.8.8.8:53 126.154.173.18.in-addr.arpa udp
US 8.8.8.8:53 192.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 86.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 63.34.138.108.in-addr.arpa udp
US 8.8.8.8:53 71.190.66.18.in-addr.arpa udp
US 8.8.8.8:53 metrics.roblox.com udp
FR 128.116.122.4:443 metrics.roblox.com tcp
FR 128.116.122.4:443 metrics.roblox.com tcp
US 8.8.8.8:53 apis.roblox.com udp
FR 128.116.122.4:443 apis.roblox.com tcp
FR 128.116.122.4:443 apis.roblox.com tcp
US 8.8.8.8:53 apis.rbxcdn.com udp
BE 104.117.77.144:443 apis.rbxcdn.com tcp
BE 104.117.77.144:443 apis.rbxcdn.com tcp
US 8.8.8.8:53 locale.roblox.com udp
FR 128.116.122.4:443 locale.roblox.com tcp
FR 128.116.122.4:443 locale.roblox.com tcp
US 8.8.8.8:53 images.rbxcdn.com udp
DE 18.66.192.25:443 images.rbxcdn.com tcp
DE 18.66.192.25:443 images.rbxcdn.com tcp
DE 18.66.192.25:443 images.rbxcdn.com tcp
DE 18.66.192.25:443 images.rbxcdn.com tcp
DE 18.66.192.25:443 images.rbxcdn.com tcp
DE 18.66.192.25:443 images.rbxcdn.com tcp
US 8.8.8.8:53 144.77.117.104.in-addr.arpa udp
DE 18.66.192.25:443 images.rbxcdn.com tcp
DE 18.66.192.25:443 images.rbxcdn.com tcp
US 8.8.8.8:53 auth.roblox.com udp
FR 128.116.122.4:443 auth.roblox.com tcp
FR 128.116.122.4:443 auth.roblox.com tcp
DE 18.66.192.25:443 images.rbxcdn.com tcp
DE 18.66.192.25:443 images.rbxcdn.com tcp
US 8.8.8.8:53 ecsv2.roblox.com udp
FR 128.116.122.3:443 ecsv2.roblox.com tcp
FR 128.116.122.3:443 ecsv2.roblox.com tcp
US 8.8.8.8:53 25.192.66.18.in-addr.arpa udp
US 8.8.8.8:53 3.122.116.128.in-addr.arpa udp

Files

memory/1020-0-0x00000000001C0000-0x00000000004E4000-memory.dmp

memory/1020-1-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

memory/1020-2-0x000000001B190000-0x000000001B1A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Google.exe.exe

MD5 3fdc51227758ce53069116625341569d
SHA1 ee099a8afcab18d69cf2c3c2f5193ab5af33fa78
SHA256 356fcec1d7e8ef7c51fa311d1e3013915aca1a44a586cf872abd5bcb927f6319
SHA512 807b4a0f993672d07c580572fdf8dfeb4c443545449aa27c1e595850f2dda73ea7265844f6f9e53baa0a50b723160cfdaa244ef8464ebf032b8cbf28ac1a33ba

memory/924-9-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

memory/1020-10-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

memory/924-11-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/924-12-0x000000001C890000-0x000000001C8E0000-memory.dmp

memory/924-13-0x000000001C9A0000-0x000000001CA52000-memory.dmp

memory/924-16-0x000000001C910000-0x000000001C922000-memory.dmp

memory/924-17-0x000000001CC60000-0x000000001CC9E000-memory.dmp

memory/924-18-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

memory/924-19-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/924-25-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/924-26-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/924-27-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/924-28-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/924-29-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/924-30-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/924-31-0x000000001E390000-0x000000001E8B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\736fc4aa-2aaa-48e9-a2ce-b1f30ab97141

MD5 083e3ed2be4cc8c7fc2637f9aeef2b35
SHA1 868e2f2b79f0e65c040091ed6e5cf24e4828ce15
SHA256 7cfa7789e2669d085f3d68bb2d917c8e1436872cf888e59a06406bed6f35a641
SHA512 6e22281bf1dcd904192bef1eafb252c16ce3886cb67b866921d7c96d231d1d70a2a73c86384d5e12f1c86bac10760e05074d427584f4c143dfc75dc8f2233e4b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\58e8ff93-298d-470d-af4c-45d8e03356c4

MD5 84e9f8230c5a7ed110083ed9ec4a02d2
SHA1 67fed37058574a5a8e3330fd9f7b8183d1650a90
SHA256 5ce8498a479fa36069d2c612af769b9731ce14c2c0e3d47d0604a8309a70b0db
SHA512 3146b07039809e546d787bd7f9fe66bad4e8bd158254abc575777a14ccaf120b33da0efb81da1932d8d05ee7be4446656c45717fb666c580608ba6bef4ce59f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 c75c9cda99312e5af04cabe3149f5254
SHA1 fe4883426b1af13c35453ecd7bbadf09b336c7d5
SHA256 594a8e9702d0b6f564eff7777bc12506139811358743e093c22e3a0f29363978
SHA512 065d076000ac4f8e0bc45e52236bfd119d179d5f3c1cc41b91c382e116fe755157550c76f386e1265049f6dafb2cad612a135513a27bf20971fa4f4644c6aa0d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 de71340a16a628bfbe99639534869e41
SHA1 80d86cc45208202bcd6b1e581e585f17cc9e897d
SHA256 addfd9239638f0e183df5ccb0fc435ec2708cc661dee09c4939c57c86d989b94
SHA512 34edf4e91700ec2eafd71dea7211509422aa984bba3354d591cc9b376143596ca06d2b12bb8d81f968a29f35e6ba90b9605eae9025059b09a28054acb8812ea2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d7a4ca31be2272b65598c616443894c2
SHA1 3c3dc5c5de07faf6d869ca1881b09efe75ed6d69
SHA256 2860b71ea7c914020fccd0bc3496938f309f4e3c3572a735d2463841d6d03b31
SHA512 88a650728d6d0e9440826a3a74de0e3c158c53944b1bbf34209fb11c8ec9fe4705b910e76bb6a37e34fa7892f7641dd54d11072dc409e867073dd63fcc0254de

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 9bad0e85bc14a28e807bf5520a6d9f00
SHA1 fa9d00a2f4d9f5cc252599310230448ce2d00d92
SHA256 81070c2b40c67c42d7a743bb77342f368e189a29a8265b4255aba355263ae752
SHA512 4a60d6a8020d9443258dc8f9c2b06bd0a1008ad4a23eb61609ee4268354a1481a251dba2f931ead1c8f151836cd0e1c56c1ffe2880d3961f1eaac6ca2389730d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

MD5 5d136ead44b1a404d24dd70f92cd186c
SHA1 cbe66516bf0a542c54aa5b56d7df0b6857bcde2a
SHA256 4ddcafc749a28bc4400c868de5a1a96f06eaee9baf4182ea21d8544a3d5f71fb
SHA512 ab66914f7c36a468f52efa6f8499815be1934867e3b6c015553d49ee346358dbcd6c5e3e8b4cf4ff7dfd496b086c51ca78cc080108010a5b011308b17dda2643

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 4e65737be3b4d8aa9bb7740f0e8fd5c7
SHA1 29ccbbfd1bea764379cbfe2451a1a13f1c51c763
SHA256 e5793423087c2977351e23a16bddb5197077c9c2d58e1a7e944bc4ba0ab7234e
SHA512 0f4d1087bdc047e4ecde6a406ebb3e6404bfb6291a04f65ff6d2137ba75db76a4c40f7c42bde7afa68807fb2ff08c48a3dc4a6e49eff2889f86577ae330923b7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 fc2958dce61bac2e34b0dbf3a7b7a1ab
SHA1 7d16c3da50edc5a0ec06f27dee64c26f7cd9a538
SHA256 5eed25359754a062f3a30c818f69ac703b7145ee55c8d57332ba42030cc767de
SHA512 e0447fdc8f3bb8af67f3a6ecc7b70ee3020eebede2532c3ebe6c4c493958bfc9397b1a6ad151c4e9691859114330e00765f236b9b7834e2ae5d686760bccff1b

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0381ab672892f89de5ca3f817e76c3cb
SHA1 b458a26ef7ff52b50677f6c56f9e432969a4cf35
SHA256 69dea2c59b528b967b7ac15233f6c7192789a8542ca7bd6535af6dc135ea6942
SHA512 36bfd49f70217dad07c823e1e8bb06a992a369723933c0bf12d4384b13d7e62f590a93427e3d98c67bf503c1fbf60f746d8ec076043e57b2f9a6cc2ea79e8e10

memory/2400-2165-0x0000013AF6D00000-0x0000013AF6D10000-memory.dmp

memory/2400-2184-0x0000013AF65E0000-0x0000013AF65E2000-memory.dmp

memory/3164-2469-0x00000291AFB00000-0x00000291AFC00000-memory.dmp

memory/3164-2475-0x00000291AFD50000-0x00000291AFD52000-memory.dmp

memory/3164-2481-0x00000291B01A0000-0x00000291B01A2000-memory.dmp

memory/3164-2478-0x00000291AFD70000-0x00000291AFD72000-memory.dmp

memory/3164-2484-0x00000291B0280000-0x00000291B0282000-memory.dmp

memory/3164-2496-0x00000291AF140000-0x00000291AF160000-memory.dmp

memory/3164-2503-0x00000291B0A40000-0x00000291B0A60000-memory.dmp

memory/3164-2533-0x00000291AF1E0000-0x00000291AF200000-memory.dmp

memory/3164-2535-0x00000291AF5C0000-0x00000291AF5E0000-memory.dmp

memory/3164-2541-0x00000291B0760000-0x00000291B0780000-memory.dmp

memory/3164-2594-0x00000291B1420000-0x00000291B1440000-memory.dmp

memory/3164-2627-0x00000291B2060000-0x00000291B2160000-memory.dmp

memory/3164-2722-0x00000291B1D20000-0x00000291B1D40000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\DUVNV5WB\www.roblox[1].xml

MD5 d8b60678056a64ed93b2b927b37b47a7
SHA1 e7e544d2deb5e36fe8507fe90abf21263aa16635
SHA256 9d78291ba6d4fd24b27c9fd88b84fff48d08b67b0bf39cbdda536beea73f5dba
SHA512 b57c099b6ab8302fbdd570f126d9c651250d5934e141fd426364fc8e0a2052632ec65c08408a05aaa2e52530bab28216a7e445c7167b3f215f0ea0a37e528a43

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\DUVNV5WB\www.roblox[1].xml

MD5 f7589e7c48fa15a6fd8f876dbd2b7b5a
SHA1 23b35dd49b2a62f554f8fe57e8e6398c182bf235
SHA256 1575623c642a1b19c9f9227b4160dca7763eee6baa15c6342524c90f10374849
SHA512 80bc258debd628df9a5da9f632120cec6a3489b0cfed0424a5e60c3ffb4e99160dc19b6388fa1f3c89a37d1fc0e60e64e6d887612f137323a6fd88c2bd523056

memory/3164-2810-0x00000291B29E0000-0x00000291B2AE0000-memory.dmp

memory/3164-2832-0x00000291B0D20000-0x00000291B0D22000-memory.dmp

memory/3164-3144-0x00000291B0E80000-0x00000291B0E82000-memory.dmp

memory/3164-3346-0x00000291B35B0000-0x00000291B35B2000-memory.dmp

memory/3164-3365-0x00000291AFFF0000-0x00000291AFFF2000-memory.dmp

memory/3164-3384-0x00000291B3980000-0x00000291B3982000-memory.dmp

memory/3164-3387-0x00000291B39A0000-0x00000291B39A2000-memory.dmp

memory/3164-3381-0x00000291B3960000-0x00000291B3962000-memory.dmp

memory/3164-3392-0x00000291B39B0000-0x00000291B39B2000-memory.dmp

memory/3164-4233-0x00000291B2FD0000-0x00000291B2FD2000-memory.dmp

memory/3164-4237-0x00000291B2FE0000-0x00000291B2FE2000-memory.dmp

memory/3164-4240-0x00000291B2FF0000-0x00000291B2FF2000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BLZJPBB5\7bba321f4d8328683d6e59487ce514eb[1].ico

MD5 7bba321f4d8328683d6e59487ce514eb
SHA1 ae0edd3d76e39c564740b30e4fe605b4cd50ad48
SHA256 68984ffee2a03c1cdb6296fd383d64cc2c75e13471221a4bcb4d93fcfa8dab54
SHA512 ed6a932f8818d5340e2e2c09dcc61693e9f9032c7201e05a0ce21c6c521b4ac7dd9204affbbfffd3bcebbebe88337fbd32091eaa1e35469b861834f2523c800d

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFABA2D217E8503BC5.TMP

MD5 8f37a0aace174d0e9de2e4f5fabca6b6
SHA1 24675a4632f9e84ffcb0be26f2e7b67a930403ce
SHA256 6a0804c3c3341e14f3819e57f261859a4211ae2c2e78f682b6fad1bff79781ca
SHA512 69a9e18c6d56d08023c0a78b1d3d4bf65cea5839ba068c43a0401132a4e2ddacef28431787264ce97a29ce49b4d80a45ee9701ec8f890277a9a9dc38bfbf4ce1

memory/924-5377-0x00007FFCF86F0000-0x00007FFCF90DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 a7ad91947fe763fb2029d003840f3fd0
SHA1 b8c8cbf3fe4b56fa91304a2cc5d7b38352bce1fe
SHA256 f5d53683e306a312664b2cdcb765f3d288ceb1f74d5efa455eeaac1585159f8f
SHA512 d3319a6df7c8dc4d1a4fb10c2396447ba7985891eb32797b3c244b93027e6fa64d21570c68b954b29b78de040aa3321eecea50105061d6d4c1695ccca35fa4ce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json.tmp

MD5 c8dc58eff0c029d381a67f5dca34a913
SHA1 3576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA256 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512 b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

MD5 da4525bc510bd8d7394bd04ca66ed61f
SHA1 ecc2763bb3f7ba57407113cf8f53dc4993c23ebb
SHA256 176728324a367280780374290656f1cff3ccefbfec1edb966d3714948af22fc2
SHA512 8619c9ffa9d8206cc48ece7c064995a74bcae36eb570b16dfeaa97325787fda5601b9be01129d0e923c551766ab1bb9abf96e535bd0205807a254b2587d09e7a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 4277099fe50015520ffbf47d747bd693
SHA1 b2f959305147eb1ebbd04425d5aa40b81891a192
SHA256 96820fd03b033d7c5ea63d0eee4be947cd078a73818841368d53fc1cd68be811
SHA512 d2c810de28d3de63e94d52568ff32f776ebced195720a36919ba8bad18c0ac2afc26b5daef394dfd93f9703f67056c788b34ae9d8a7e87a1fcce0ecc5d6bbbb8