hxxp://cod2master[.]activision[.]com

Analysis

max time kernel
1209s
max time network
1204s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cod2master.activision.com

Score

10^/10

agilenet evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Disables Task Manager via registry modification
evasion
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation wscript.exe
Executes dropped EXE 1 IoCs

Processes:

eulascr.exe

pid process

1608 eulascr.exe
Loads dropped DLL 1 IoCs

Processes:

eulascr.exe

pid process

1608 eulascr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
1608	eulascr.exe

pid	process
1608	eulascr.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe	agile_net
behavioral1/memory/1608-313-0x0000000000420000-0x000000000044A000-memory.dmp	agile_net

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

robloxcheat.exerobloxcheat.exe

description	ioc	process
File opened (read-only)	\??\R:	robloxcheat.exe
File opened (read-only)	\??\X:	robloxcheat.exe
File opened (read-only)	\??\A:	robloxcheat.exe
File opened (read-only)	\??\V:	robloxcheat.exe
File opened (read-only)	\??\E:	robloxcheat.exe
File opened (read-only)	\??\I:	robloxcheat.exe
File opened (read-only)	\??\K:	robloxcheat.exe
File opened (read-only)	\??\G:	robloxcheat.exe
File opened (read-only)	\??\E:	robloxcheat.exe
File opened (read-only)	\??\K:	robloxcheat.exe
File opened (read-only)	\??\S:	robloxcheat.exe
File opened (read-only)	\??\U:	robloxcheat.exe
File opened (read-only)	\??\J:	robloxcheat.exe
File opened (read-only)	\??\V:	robloxcheat.exe
File opened (read-only)	\??\Y:	robloxcheat.exe
File opened (read-only)	\??\P:	robloxcheat.exe
File opened (read-only)	\??\W:	robloxcheat.exe
File opened (read-only)	\??\B:	robloxcheat.exe
File opened (read-only)	\??\H:	robloxcheat.exe
File opened (read-only)	\??\J:	robloxcheat.exe
File opened (read-only)	\??\N:	robloxcheat.exe
File opened (read-only)	\??\R:	robloxcheat.exe
File opened (read-only)	\??\H:	robloxcheat.exe
File opened (read-only)	\??\O:	robloxcheat.exe
File opened (read-only)	\??\S:	robloxcheat.exe
File opened (read-only)	\??\W:	robloxcheat.exe
File opened (read-only)	\??\Z:	robloxcheat.exe
File opened (read-only)	\??\X:	robloxcheat.exe
File opened (read-only)	\??\Y:	robloxcheat.exe
File opened (read-only)	\??\T:	robloxcheat.exe
File opened (read-only)	\??\Z:	robloxcheat.exe
File opened (read-only)	\??\I:	robloxcheat.exe
File opened (read-only)	\??\M:	robloxcheat.exe
File opened (read-only)	\??\Q:	robloxcheat.exe
File opened (read-only)	\??\G:	robloxcheat.exe
File opened (read-only)	\??\L:	robloxcheat.exe
File opened (read-only)	\??\O:	robloxcheat.exe
File opened (read-only)	\??\A:	robloxcheat.exe
File opened (read-only)	\??\B:	robloxcheat.exe
File opened (read-only)	\??\L:	robloxcheat.exe
File opened (read-only)	\??\P:	robloxcheat.exe
File opened (read-only)	\??\Q:	robloxcheat.exe
File opened (read-only)	\??\T:	robloxcheat.exe
File opened (read-only)	\??\N:	robloxcheat.exe
File opened (read-only)	\??\U:	robloxcheat.exe
File opened (read-only)	\??\M:	robloxcheat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

203 discord.com
204 discord.com
205 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
203	discord.com
204	discord.com
205	discord.com

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2180 taskkill.exe
6060 taskkill.exe

pid	process
2180	taskkill.exe
6060	taskkill.exe

Modifies registry class 64 IoCs

Processes:

Popup.exerobloxcheat.exemsedge.exerobloxcheat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Popup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{EAACD7CE-B43E-420A-8DAD-95666F84F6E3}	robloxcheat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 5a003100000000008b583c66100053797374656d33320000420009000400efbe874f77488b583c662e000000b90c000000000100000000000000000000000000000028ad7f00530079007300740065006d0033003200000018000000	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "11"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Popup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{201C79E5-17A4-45A9-9D1C-A8A5F7EDFA06}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy	Popup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{6805A83A-6713-402B-A51F-538847E8FC73}	robloxcheat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 560031000000000073583797100057696e646f777300400009000400efbe874f77488b583d662e000000000600000000010000000000000000000000000000001eeff800570069006e0064006f0077007300000016000000	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlgLegacy	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	Popup.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

chrome.exetaskmgr.exeWindowsUpdate.exetaskmgr.exeeulascr.exe

pid	process
3824	chrome.exe
3824	chrome.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
5356	WindowsUpdate.exe
5356	WindowsUpdate.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
4532	taskmgr.exe
1608	eulascr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Popup.exe

pid process

5684 Popup.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3824 chrome.exe
3824 chrome.exe

pid	process
5684	Popup.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

chrome.exerobloxcheat.exeAUDIODG.EXErobloxcheat.exetaskmgr.exetaskmgr.exeeulascr.exetaskkill.exetaskkill.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3052	robloxcheat.exe
Token: SeCreatePagefilePrivilege	3052	robloxcheat.exe
Token: 33	3636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3636	AUDIODG.EXE
Token: SeShutdownPrivilege	3052	robloxcheat.exe
Token: SeCreatePagefilePrivilege	3052	robloxcheat.exe
Token: SeShutdownPrivilege	3052	robloxcheat.exe
Token: SeCreatePagefilePrivilege	3052	robloxcheat.exe
Token: SeShutdownPrivilege	6076	robloxcheat.exe
Token: SeCreatePagefilePrivilege	6076	robloxcheat.exe
Token: SeShutdownPrivilege	6076	robloxcheat.exe
Token: SeCreatePagefilePrivilege	6076	robloxcheat.exe
Token: SeDebugPrivilege	3704	taskmgr.exe
Token: SeSystemProfilePrivilege	3704	taskmgr.exe
Token: SeCreateGlobalPrivilege	3704	taskmgr.exe
Token: 33	3704	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3704	taskmgr.exe
Token: SeDebugPrivilege	4532	taskmgr.exe
Token: SeSystemProfilePrivilege	4532	taskmgr.exe
Token: SeCreateGlobalPrivilege	4532	taskmgr.exe
Token: 33	4532	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4532	taskmgr.exe
Token: SeDebugPrivilege	1608	eulascr.exe
Token: SeDebugPrivilege	6060	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: 33	5924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5924	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exerobloxcheat.exerobloxcheat.exetaskmgr.exe

pid	process
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3052	robloxcheat.exe
6076	robloxcheat.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe
3704	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MrsMajor3.0.exePopup.exe

pid process

4028 MrsMajor3.0.exe
5684 Popup.exe

pid	process
4028	MrsMajor3.0.exe
5684	Popup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3824 wrote to memory of 1516	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1516	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1748	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1044	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 1044	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe
PID 3824 wrote to memory of 3472	3824	chrome.exe	chrome.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://cod2master.activision.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb01249758,0x7ffb01249768,0x7ffb01249778
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:2
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:8
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:8
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:1
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1916,i,5942310968674367189,4725254239566581859,131072 /prefetch:1
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4076 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4244 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5820 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5460 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5624 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5936 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5308 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5976 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5252 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4652 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=5436 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6236 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=5480 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6264 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6584 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7092 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6328 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6216 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7084 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=7152 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=7528 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=7476 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=7232 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=6320 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=7312 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5648 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=6252 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1
1⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6664 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:6028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1012

C:\Users\Admin\Desktop\robloxcheat.exe
"C:\Users\Admin\Desktop\robloxcheat.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Users\Admin\Desktop\robloxcheat.exe
"C:\Users\Admin\Desktop\robloxcheat.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6580 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8
1⤵
PID:2444

C:\Users\Admin\Desktop\Hydra.exe
"C:\Users\Admin\Desktop\Hydra.exe"
1⤵
PID:5696

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3704

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5356

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\rickroll.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\rickroll.exe"
1⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"
1⤵
PID:3708

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Curfun.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Curfun.exe"
1⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Launcher.exe"
1⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Flasher.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Flasher.exe"
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Curfun.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Curfun.exe"
1⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E94D.tmp\E94E.tmp\E94F.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:5792

C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Popup.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5684

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\rogues\SpySheriff.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\rogues\SpySheriff.exe"
1⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CrazyNCS.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"
1⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Trololo.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Trololo.exe"
1⤵
PID:2404

C:\Windows\system32\taskkill.exe
taskkill.exe /f /im explorer.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\taskkill.exe
taskkill.exe /f /im taskmgr.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
264494f45339bc5382627defb0f94d62

SHA1
a0f7116148a3a9c2d1c4c18917b42ff5b387ec5d

SHA256
77c4ac44150ee280fbb930a32f0212082f337a156d71287cf5731e19d9c5e922

SHA512
e18c26126659805911e1ff9533264b132f9a7d6cd412b735ebf6b11b1100db9fdf1aca663721677390eb92cb2347e188ef9ad760aac9f86ca02a51407a13b92d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f4164c422a47d9a7ce97e356c0c07c5a

SHA1
7d14926a6c78b24074fe63ed95a7cadde20f21ee

SHA256
e04fb993c30b83c2560bf22d01d573e3baec4b9d7d3767b07d0c9dd091783fe2

SHA512
aa82ae7dbee2cc7b2e69cddc8aaa1c58994e2333fb74853808613d73ccce4fc417062e8c91e83a86a3c6bda88bffaa7a47d95690316c9e677ba15ddb3b8806ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
b83acae9a5426caaaf3dd5cfa33ddd50

SHA1
3b8c558ed20615458e07c6e8269de180689487d8

SHA256
fcdf559f706f1ee68e71eed08973e29ffaad380c104acd3f6792a15d221691b2

SHA512
382b8885d13e20c0e7b078adffaebedddbbf5351ca7f2492e2fbcba4a4b25bfc1a2cf02a4489d3141907023499b8c816ed20a76372e2e4361990e9603c39a9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
c0f85fa619318ab1c9ac5ed7b9782428

SHA1
a6dc40d2df2447ccb6aff707336cd7df7d86c7b2

SHA256
e49228f483be143c726e309088f5627b81cc13dfca4f876dfab61e2f9872a12f

SHA512
09f28a063a38461afb5a835b85d1626b6eeda52a5cd8402de5447c8e62c40e91dddfc7d36031d7e2c8f28e9cb792339e8124a2fe55d7926164cc9ed128622bc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\robloxcheat.exe.log

Filesize
2KB

MD5
6d1fdaa0eab80613585a67eddff3c32d

SHA1
f270d9d29c067a7b03d381e52c922ad20a594de5

SHA256
8e4e4153f0340300a69b3f25bfbc9ac720e7595783d683ccfbf7982267e0af1e

SHA512
97ac919b5203bc5d26b57be5173cc22f98e6a19eca7822d7e99eed7011d653bbbce64bf4d5e3c35cfc7ed8214d4efe54923819ff41fda95aaa40d485068c54d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
1713cb02734720b44e1771c032f3228c

SHA1
e27543b66d880715faa3fa91c7da45a74c3876da

SHA256
bb69b3f4db654cb07ad3162e9a350e15cd59f56eb0075abab5fc0dd1a5ecec3e

SHA512
511440736967a3b16f3a0b6ee1040880f94e7a63e492ff01e3613b2805ea0ef1b5daba49dcc469cd85851dfc9f6825802f77d4899a99f8c6b51c5642c158e620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
2454898bbdda301d19a5d8de50026d35

SHA1
b0158fd443a6e786e8d161d20e044edb69c184a4

SHA256
41f70743650e3566fed60722fcdcd481443d129afef435b1603e8c1d7beaa673

SHA512
018e21e5610485e943791dd1aaa7cb41e0044c0fb1f9f27cfa7441a9a468c201e489de5f9007a9b872b01c9554c3d7d07a1b8096b0f7bbcb5cc098ae037ce63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
e17b3915f93b9206a287b44d0efeb2be

SHA1
b0ffce1b60b1ee448e442ad716e56ce8b4dddce0

SHA256
1b84b451af51d88db6b84426e331db8b71d2d018c673039eb29f7756a6939e26

SHA512
37c8b0062a2368955020e35a74e939efe8d754464a67d783e7c044b467125e91b146685744e849f8002d5850647954e0db7ec14e653805a88e58b913d5097131

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\E94D.tmp\E94E.tmp\E94F.vbs

Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E94D.tmp\eulascr.exe

Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\Desktop\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
\??\pipe\crashpad_3824_OWDKAZGYJKVFWDDU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1608-324-0x000000001D720000-0x000000001D8E2000-memory.dmp

Filesize
1.8MB

Download
memory/1608-314-0x00007FFAFF570000-0x00007FFB00031000-memory.dmp

Filesize
10.8MB

Download
memory/1608-313-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/1608-315-0x000000001B1F0000-0x000000001B200000-memory.dmp

Filesize
64KB

Download
memory/1608-323-0x000000001B1F0000-0x000000001B200000-memory.dmp

Filesize
64KB

Download
memory/1608-331-0x00007FFAFF570000-0x00007FFB00031000-memory.dmp

Filesize
10.8MB

Download
memory/1608-325-0x000000001DE20000-0x000000001E348000-memory.dmp

Filesize
5.2MB

Download
memory/1956-409-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2352-236-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2352-239-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2352-256-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2404-418-0x00007FFAFEF30000-0x00007FFAFF8D1000-memory.dmp

Filesize
9.6MB

Download
memory/3052-100-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/3052-99-0x000000001C400000-0x000000001C408000-memory.dmp

Filesize
32KB

Download
memory/3052-84-0x0000000000BD0000-0x0000000001034000-memory.dmp

Filesize
4.4MB

Download
memory/3052-136-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

Filesize
10.8MB

Download
memory/3052-122-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/3052-121-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/3052-120-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

Filesize
10.8MB

Download
memory/3052-102-0x000000001C460000-0x000000001C46E000-memory.dmp

Filesize
56KB

Download
memory/3052-101-0x000000001C490000-0x000000001C4C8000-memory.dmp

Filesize
224KB

Download
memory/3052-85-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

Filesize
10.8MB

Download
memory/3052-86-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/3052-97-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/3164-383-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3164-397-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3280-250-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3280-240-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3280-245-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3328-231-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3328-233-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3704-170-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-174-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-175-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-163-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-164-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-165-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-169-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-171-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-173-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3704-172-0x000002105D140000-0x000002105D141000-memory.dmp

Filesize
4KB

Download
memory/3708-193-0x000000001BBA0000-0x000000001BC46000-memory.dmp

Filesize
664KB

Download
memory/3708-195-0x000000001C120000-0x000000001C5EE000-memory.dmp

Filesize
4.8MB

Download
memory/3708-196-0x00007FFAFEE70000-0x00007FFAFF811000-memory.dmp

Filesize
9.6MB

Download
memory/3708-197-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/3708-198-0x000000001C6D0000-0x000000001C76C000-memory.dmp

Filesize
624KB

Download
memory/3708-199-0x0000000001460000-0x0000000001468000-memory.dmp

Filesize
32KB

Download
memory/3708-200-0x000000001C980000-0x000000001C9CC000-memory.dmp

Filesize
304KB

Download
memory/3708-202-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/3708-221-0x00007FFAFEE70000-0x00007FFAFF811000-memory.dmp

Filesize
9.6MB

Download
memory/3708-220-0x00007FFAFEE70000-0x00007FFAFF811000-memory.dmp

Filesize
9.6MB

Download
memory/3708-194-0x00007FFAFEE70000-0x00007FFAFF811000-memory.dmp

Filesize
9.6MB

Download
memory/4332-189-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4532-206-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/4532-217-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/4532-212-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/4532-213-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/4532-214-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/4532-216-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/4532-215-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/4532-207-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/4532-205-0x0000012DC8890000-0x0000012DC8891000-memory.dmp

Filesize
4KB

Download
memory/5356-251-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5356-185-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/5356-183-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5356-182-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/5356-181-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5356-180-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5380-226-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/5380-228-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5684-360-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/5684-342-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/5696-162-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5696-178-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5696-177-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5696-161-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

Filesize
40KB

Download
memory/5696-160-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5696-159-0x0000000004B00000-0x0000000004B92000-memory.dmp

Filesize
584KB

Download
memory/5696-158-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/5696-157-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/5696-156-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/5696-176-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/5696-179-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/6076-155-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

Filesize
10.8MB

Download
memory/6076-150-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

Filesize
64KB

Download
memory/6076-149-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

Filesize
64KB

Download
memory/6076-153-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

Filesize
64KB

Download
memory/6076-148-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

Filesize
10.8MB

Download
memory/6076-140-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

Filesize
64KB

Download
memory/6076-139-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

Filesize
64KB

Download
memory/6076-138-0x00007FFAFED50000-0x00007FFAFF811000-memory.dmp

Filesize
10.8MB

Download