hxxps://github[.]com/Kampfkarren/Roblox/files/15001743/Roexec[.]zip

Analysis

max time kernel
90s
max time network
91s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25/04/2024, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Kampfkarren/Roblox/files/15001743/Roexec.zip

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Roexec.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3688	msedge.exe
3688	msedge.exe
560	msedge.exe
560	msedge.exe
3960	msedge.exe
3960	msedge.exe
1896	identity_helper.exe
1896	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2784	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4848	3688	msedge.exe	79
PID 3688 wrote to memory of 4848	3688	msedge.exe	79
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3840	3688	msedge.exe	80
PID 3688 wrote to memory of 3092	3688	msedge.exe	81
PID 3688 wrote to memory of 3092	3688	msedge.exe	81
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82
PID 3688 wrote to memory of 4080	3688	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Kampfkarren/Roblox/files/15001743/Roexec.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe80353cb8,0x7ffe80353cc8,0x7ffe80353cd8
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12990955416432730624,13813031253693960180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1448

C:\Users\Admin\Downloads\Roexec\compiler.exe
"C:\Users\Admin\Downloads\Roexec\compiler.exe"
1⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Roexec\Launcher.bat" "
1⤵
PID:1080
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4608
- C:\Users\Admin\Downloads\Roexec\compiler.exe
  compiler.exe config
  2⤵
  PID:2904

C:\Users\Admin\Downloads\Roexec\compiler.exe
"C:\Users\Admin\Downloads\Roexec\compiler.exe"
1⤵
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Roexec\Launcher.bat" "
1⤵
PID:4740
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4732
- C:\Users\Admin\Downloads\Roexec\compiler.exe
  compiler.exe config
  2⤵
  PID:1152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
c7d2f1f98ae4dbef2d1a59f118d5a99c

SHA1
c342db2b5c237515337f5ff9392ea5a060f8662a

SHA256
0d9cbf949b07344c0adc39236f3ec6103cd1d15c0261bdb6073312e959b230f1

SHA512
d2414161a55f49bf86f1a2f25aebe68f8a15c6efda4cec2678bf89e7ab6cddf2ab41981fd2cba6d668b452f0182df3e79edfaa88892964fbebcf73c3d533076c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
a2288d215c2870c31d2159a5b9133a56

SHA1
5024d4a33c81a66a807e64e55653889d6d652709

SHA256
45ed44f944082027ac7e764f46fda00db5c8fe3532ee3b9b299f8007498810c7

SHA512
82d0dd06357b4aa98d3b0c069bc51aa2a9eb805bfb8e2367d29ec00c02c6221b1acb59093c49c0921b7dd0a1addc38cd8ae2ce1c90ace4efdeef4bbd25a03b6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e15af8f29dec1e606c7774ef749eaf2

SHA1
15fbec608e4aa6ddd0e7fd8ea64c2e8197345e97

SHA256
de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c

SHA512
1c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e5a2dac1f49835cf442fde4b7f74b88

SHA1
7b2cf4e2820f304adf533d43e6d75b3008941f72

SHA256
30bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce

SHA512
933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37c6f34c0b6742b7ec13e190ff6e8c06

SHA1
fe7c8749e9ad1efbce06d7d685a292efffa2f113

SHA256
0d369eec55e553a8a730b25060938c76719c8b4cf3234eee79b20e9989b66a5b

SHA512
4de44722de9cb38a2cbefcb7ca12786253d6624bc9c234fde1d8f655af75dd66450d95ebfd8aaa7deb22042add2d1f212f8b242f784ef7095833a5ba79d007a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2ff9a020cc327dc67034accb52843e2f

SHA1
c2653b9f2d12c07e97f5ae0b2411e8b754e04fc8

SHA256
28a81b95f2e0d5addb99fb901115cdf24627206c21721bf5893a8644591d70c7

SHA512
b26b9f14caf7b2e8bb430154aec21178ffe688f38b35e9e6812b03165144fc5cc37e1dc4780459145e5a2e52421f17d7039b195f9152f13e93497ef3045ea63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
501c4897dc05bf3d1431793f1c63806f

SHA1
b2e6b910aee953dc595f03069b49cc31c5d8fa95

SHA256
30572eb1963ade43174f1bdd6310713aa746695c538bed092afde663ed6f350c

SHA512
fec7d5ac99f2392a0a969ff5b630c532067f3c338a57a7a046e7ea2d0ec6883938c8571e5fb1f8379c9f374bf4d27f74ac6a276e05ac44d636b2b200472a5a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
626f762b7db945d124eb71e5cd572ee3

SHA1
71e37021a897684e8be3bfde479673a1169bd4da

SHA256
ba8d4393cb000a95bcdf54aa4ffd4e1fe53cdb181d02942f0d178a42d0dcdfa9

SHA512
6e59c865232dad35c68075a188c2cac6af780c4f7acd951b3cd381e81488e61ef6bd9818bdf719c13d89453a371d34a50fb3d3641ed018bd03d623b0c7f542fb

Download Submit
C:\Users\Admin\Downloads\Roexec.zip

Filesize
457KB

MD5
59df51c70895f981457de37ccf83aedf

SHA1
d54a38d73c3148ff0b6c8b96669b48017220b962

SHA256
ac8e9c3db9933684515f091b2637bce105febd069ab8fe6fb0e0ac3caba1ee8b

SHA512
a075814e1491fbb8e5baf1f274b4b4d19fdda8874fcfe3d62f3880d94d4311e867f9c1f58f86479c9a8a7175a2eebcdf47203c51a71e681f413d9cb4d0c408b1

Download Submit
C:\Users\Admin\Downloads\Roexec.zip:Zone.Identifier

Filesize
554B

MD5
fb59f849afe540c5772b18c14c82903d

SHA1
b91e1d01c77577d8b9670e9d60b3a58abaa9c0a6

SHA256
0741796f2efb8d77585f62b8d650a46faf9b42bb7f56211efc8c26fa59ed88cf

SHA512
b52d3d6c43f5c46d7abaac4a07570e364f8528b9c781ac78930e059331d605520fa87c7291dc69731aaf01dc689931c2fa2a6c09a07258dd6c5a687344ef1ed4

Download Submit
memory/1152-335-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1152-333-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1152-326-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2904-118-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-133-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-107-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-106-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-105-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-104-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-103-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-101-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-108-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-109-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-110-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-111-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-112-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-113-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-114-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-115-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-126-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-127-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-125-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-124-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-123-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-122-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-121-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-120-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-119-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-100-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-117-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-116-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-128-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-129-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-130-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-134-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-135-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-102-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-132-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-131-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-136-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-137-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-138-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-140-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-141-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-142-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-139-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-144-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-145-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-143-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-147-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-146-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-148-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-149-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-150-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-151-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-152-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-153-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-155-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-154-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-156-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-157-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-158-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-172-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2904-171-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2904-99-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-96-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-98-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-97-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-95-0x000000007F830000-0x000000007F840000-memory.dmp

Filesize
64KB

Download
memory/2904-177-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download