redline | hxxps://www[.]mediafire[.]com/folder/8oc6aeqi375es/Roblox_x_Executor

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/8oc6aeqi375es/Roblox_x_Executor

Score

10^/10

redline zgrat discovery infostealer rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/3860-594-0x0000000000400000-0x000000000044A000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3860-594-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3800 set thread context of 3860	3800	Roblox Executor.exe	153
PID 6228 set thread context of 5368	6228	Roblox Executor.exe	159
PID 7020 set thread context of 1068	7020	Roblox Executor.exe	167
PID 5976 set thread context of 3624	5976	Roblox Executor.exe	176
PID 4920 set thread context of 4648	4920	Roblox Executor.exe	179
PID 6892 set thread context of 5092	6892	Roblox Executor.exe	182

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1788	msedge.exe
1788	msedge.exe
968	msedge.exe
968	msedge.exe
1520	identity_helper.exe
1520	identity_helper.exe
6084	msedge.exe
6084	msedge.exe
3860	RegAsm.exe
3860	RegAsm.exe
3860	RegAsm.exe
5368	RegAsm.exe
1068	RegAsm.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
3624	RegAsm.exe
3624	RegAsm.exe
5684	taskmgr.exe
4648	RegAsm.exe
4648	RegAsm.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5092	RegAsm.exe
5092	RegAsm.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	RegAsm.exe
Token: SeDebugPrivilege	5368	RegAsm.exe
Token: SeDebugPrivilege	1068	RegAsm.exe
Token: SeDebugPrivilege	5684	taskmgr.exe
Token: SeSystemProfilePrivilege	5684	taskmgr.exe
Token: SeCreateGlobalPrivilege	5684	taskmgr.exe
Token: SeDebugPrivilege	3624	RegAsm.exe
Token: SeDebugPrivilege	4648	RegAsm.exe
Token: SeDebugPrivilege	5092	RegAsm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
968	msedge.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 5056	968	msedge.exe	83
PID 968 wrote to memory of 5056	968	msedge.exe	83
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1204	968	msedge.exe	84
PID 968 wrote to memory of 1788	968	msedge.exe	85
PID 968 wrote to memory of 1788	968	msedge.exe	85
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86
PID 968 wrote to memory of 884	968	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/8oc6aeqi375es/Roblox_x_Executor
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f93d46f8,0x7ff8f93d4708,0x7ff8f93d4718
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8208 /prefetch:1
  2⤵
  PID:6160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:1
  2⤵
  PID:6232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
  2⤵
  PID:6244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8896 /prefetch:1
  2⤵
  PID:6256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8900 /prefetch:1
  2⤵
  PID:6324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9052 /prefetch:1
  2⤵
  PID:6332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9316 /prefetch:1
  2⤵
  PID:6340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9448 /prefetch:1
  2⤵
  PID:6348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9668 /prefetch:1
  2⤵
  PID:6704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9652 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:7008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:7016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9576 /prefetch:1
  2⤵
  PID:7088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8352 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10076 /prefetch:1
  2⤵
  PID:6156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10616 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10232 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9564 /prefetch:1
  2⤵
  PID:6156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9360 /prefetch:1
  2⤵
  PID:6696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:6628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,16236291519646989288,5306006673723700625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6468

C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe
"C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860

C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe
"C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:6228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5368

C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe
"C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:7020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5684

C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe
"C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624

C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe
"C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648

C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe
"C:\Users\Admin\Downloads\Roblox Executor New Update\Roblox Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:6892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
60ad21e008a8447fc1130a9c9c155148

SHA1
5dfa21d14dc33de3cc93a463688fe1d640b01730

SHA256
bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9

SHA512
42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0aff826f-67dc-4e81-a995-d441bb3349e8.tmp

Filesize
13KB

MD5
f73226f3b6c20472c3867388b408e56a

SHA1
640f2bee5564a8e40aa101961943bfac4d0170df

SHA256
66981e3242dc05d6163caa6640055246c99032924d32fdf66ca8a2053c58747b

SHA512
e72087cb0aaa6ffacbd65c2bc8781c7b158892d5abf689c9934768b42e718461d8a09747f0415c97104cf35e22d2d2160ddc313d224090c99d80698c863e1c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
62KB

MD5
e2f5339567cadf1f367ae23c6ba2fe2e

SHA1
7b44030002c1b97bd95912ff696ec34d2335017c

SHA256
cb3c31fd9cb4a76d2a6b2d5c8177d121ad4c0bd1e3c0434d5eaacefa141c3ec2

SHA512
f6310fc1f14dc9067875cc67ddc57bb34a59b4772def6b355f0e23d951489361e4e732904ed7fbdded0a2dd0414e4fbdc74ad4c3287946113b956fd7246817b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
31KB

MD5
f46e467f0ce4cfe941d7ab027d90a82c

SHA1
320c6562c1d7d1ce7d157db36ff8a3344cfda052

SHA256
c99ccba9fb436fc1d57950c7fdea18ccabf5bcc81c37079ecb789e197f6b183d

SHA512
903de351ba6a5574acf883bb7e4dd6e1a5a9ca6aa0f4607b36fe78205ba0be5e25de112b6ba4901d8f301482fabc766469f418d80b7e072e5a7a2c9aafa38509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d3b7e9083e2545af3e004ed2c0ebe1c8

SHA1
b0acbbf2cee072dd73c5f638cd9c54380a5fe163

SHA256
187ce637f89191ce05a02699048e756595f6452ede62c8d2cd8bf351945bac25

SHA512
6d00eba5a039bf845aa111694d7d443d83638bc72a3f1d6e9d7ce09f19fb0587e09f099862b754605814270ed0d92966dcc82695502f98c82f876c68f1812a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
57be694c1fa3803a5497ee370c4c2d57

SHA1
ca34276276402feb88ae0173584cd0cf76bbb5fe

SHA256
1a6993f3c73a97feadbc26629f2a88fa66772c8b86e9cad41f4f3dfad302fe1e

SHA512
1813b85ca72f980edf76db763a4887fe13abb400a81d8f098a86f19fa15c24d28700cb57b2dcdb65242bd7296943c1095d856403043541e93a70aae71083ab93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
40KB

MD5
f09e7f7dc813eb1d3419542506e2f936

SHA1
4d21a8b096f3acf5c188d2ec6fcd37a3f4aa76e8

SHA256
8a46207363fff00fbac23d763e100e364d13fa2d6f4207d30f6e40addbd47b8a

SHA512
35f99a2c1d1df3bf3e61cc4a3012acb231f2130fb2e3ae275d66b51b67a4f584575cc0030ad5ec52f7b0b2b04d413f8d9d1c237ecd68290c2cdeca5baba855f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
003742be77a5fec02f7ee119325c0917

SHA1
44d9e5f1001bb0c548cd1a0fde449e33ccf5be7b

SHA256
6c75847a7c635dda7b8c2897630a27c69db13daaeef7d66283e878781e2546a9

SHA512
028d9595eb7f696f1ec2fe43a3c76582ab63dc23deddd633af2110051b5af8657ad6bf3a26ec1537067499df85dd9a2760be973b1699c8e3ce5f933e232a3eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4f1ed9da4f7391fe7f426ef13ff0fc9c

SHA1
2f136c0c693186ab2da9de9d5021ca5f7e2af862

SHA256
fea0056a4c2757e8bbe26271b540136c2043a1611a644fed966538d325edb85b

SHA512
7a165c564ce8d0c39beab0a42cfbbe42f52aeb9c191747d1cf9bef374e880a85b30872d2be5f5a272904955cf85bda9e3209e6272b45e52af15c98669b09d5d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
66a191c344ca3c8596349a3ac43fcd67

SHA1
a7fceecf1729d261aa10010286c35db01f6cff51

SHA256
d1b615a4367cb430509e1bf8b59729d57c7fdd1699bc2a5963d22a0711f38e01

SHA512
1ff93fe755b3389a4a8cf8bdb0e612b0b3454102b79365c44c525d6cdbeef74cb4004b08cc5074c62edc465f3295a5d6d13b2b8f16e0ce49c242153022bfe08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
d893a3d65f926823b1cd67de4cb8d74b

SHA1
f201baea33d905737f1f4a609c33e120ec4fc41a

SHA256
40ff75e7a7e641ea5d166f8d0c5a22431266e068eebe7a56c25a78a0a4d8413b

SHA512
7f043a46f6ab62cd2f1e303d02a49289086e2b4495074f18bdc8908dce4e8cd277a88e8bd51b68d53de1c7094de201ec31e15629e19801db7f37ce2698d2969d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e21016f696b4b42feb3d8a7c896fd473

SHA1
9bb30a46b073e294d84924175d68ae6610f5266e

SHA256
4ada2de69e1f359d52400e3bf99b57454af9dcdde97728657734b08002984f63

SHA512
ed1463ff2080ad74eb80719eca3b48a6a74a88711780b52712397b6531f6162f4677752161f6d8f384f9275dc23f68699fd0eb95008de33e83cf5a61588be99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
321276293ba05dfd1353cc02422c772b

SHA1
3ba62f46de124f6cfd67827ba63c16faeb3465c8

SHA256
bab37379f29ed254da4ebd497b7968717dc1067be942d3679a0bcbb204e23da9

SHA512
221bd9d34bb8bcc448416ae51d887d16cc2725731e200de25db863f070fcf898661c1de5a9b1ecfe203dc5d390319d0621702e7e0cc6232f810143301bd6e14f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578ca0.TMP

Filesize
1KB

MD5
9b0bc6c70a7b6029a1be2781545039e1

SHA1
d9c51427f87177f9881385bea664087a70d2092b

SHA256
22252c24e04e1364333ad4f6dfb7dad4f470bc77ecf7d62c768f73a12eb70f5c

SHA512
338d2e9d2bd3f0cdba6916b1c9c5d736336591b690e931d757e8fbb6228ea7b147eb7139de09dd5d2890427dd91fad4d9bab14f36d63b58a39d0a0f7edc06b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
398b9b7a79a7576916f5738701c02039

SHA1
3048a1e928c2a95727e5a6a982b84f3cf543043b

SHA256
9ff462ec302ebe1bef60d580230c9b0b8944aba0f147c7b7c7a20db2dfed0ecf

SHA512
527e5feac92820d18e205052e193470ed6e7d8fcb034d1fea9ce2ad3a0a8d7109420ae18c7d163c9619e82b20eb1b588f64595ee31cbbd132fac77bce9f515ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5174bac12fb87d01707648f8d1b13d84

SHA1
4ee61c9582f2065e28a5debed9af509292ad98d8

SHA256
2ff94ed02ebdf6e5813240545eadbb32fb1ab16538d1ad6a6aa804dfb81a0e6a

SHA512
ea5c2f286cb63286adf0667c377b0db3d3dd3f1ab08f8ba6957d889d7aa07ac5abf5c865d33450a776cd7b30ed9b101ceb23fe75c9a828d84522e50697bfcf51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba77eb6f691ab91a271d95b1abbf92b1

SHA1
8664944ddb93ceed17fe370c838177068f85befc

SHA256
d4a3ed20c31e240487d82709a31deb07930c38dc8ae5acf231ff68575430a8c9

SHA512
feb037ffe4a520d6dfd3e3c0d612c225c24dbb8261e39d407c9367861ee05f8d2280748192fbed40a2a2e2baaccf91bd85fff654cd7eea9d37dcc916b54a49d7

Download Submit
memory/3860-602-0x0000000006B00000-0x0000000006B4C000-memory.dmp

Filesize
304KB

Download
memory/3860-607-0x0000000009270000-0x000000000979C000-memory.dmp

Filesize
5.2MB

Download
memory/3860-598-0x0000000006EC0000-0x00000000074D8000-memory.dmp

Filesize
6.1MB

Download
memory/3860-599-0x00000000069F0000-0x0000000006AFA000-memory.dmp

Filesize
1.0MB

Download
memory/3860-600-0x0000000006920000-0x0000000006932000-memory.dmp

Filesize
72KB

Download
memory/3860-601-0x0000000006980000-0x00000000069BC000-memory.dmp

Filesize
240KB

Download
memory/3860-596-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/3860-603-0x0000000006C80000-0x0000000006CE6000-memory.dmp

Filesize
408KB

Download
memory/3860-604-0x0000000007760000-0x00000000077D6000-memory.dmp

Filesize
472KB

Download
memory/3860-605-0x00000000076E0000-0x00000000076FE000-memory.dmp

Filesize
120KB

Download
memory/3860-606-0x0000000008220000-0x00000000083E2000-memory.dmp

Filesize
1.8MB

Download
memory/3860-597-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/3860-595-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/3860-594-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5684-616-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-615-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-614-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-626-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-625-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-624-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-623-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-622-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-621-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download
memory/5684-620-0x0000026FD6550000-0x0000026FD6551000-memory.dmp

Filesize
4KB

Download