lumma | hxxps://www[.]mediafire[.]com/folder/v3klpte2lomqn/ROBLOX

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/v3klpte2lomqn/ROBLOX

Score

10^/10

lumma redline infostealer spyware stealer

Malware Config

Extracted

Family

redline

194.26.232.43:20746

Extracted

Family

lumma

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://tendencyportionjsuk.shop/api

https://headraisepresidensu.shop/api

https://appetitesallooonsj.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

https://smallelementyjdui.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5492-589-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
6928	SoftWare(1).exe
3896	SoftWare(1).exe
7128	SoftWare(2).exe

Loads dropped DLL 1 IoCs

pid	Process
7128	SoftWare(2).exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6928 set thread context of 6244	6928	SoftWare(1).exe	145
PID 3896 set thread context of 6272	3896	SoftWare(1).exe	151
PID 7128 set thread context of 5492	7128	SoftWare(2).exe	152

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5408	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	msedge.exe
3708	msedge.exe
3024	msedge.exe
3024	msedge.exe
4888	identity_helper.exe
4888	identity_helper.exe
6192	msedge.exe
6192	msedge.exe
6684	7zFM.exe
6684	7zFM.exe
6684	7zFM.exe
6684	7zFM.exe
6684	7zFM.exe
6684	7zFM.exe
6684	7zFM.exe
6684	7zFM.exe
6684	7zFM.exe
6684	7zFM.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe
5492	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6684	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	6684	7zFM.exe
Token: 35	6684	7zFM.exe
Token: SeSecurityPrivilege	6684	7zFM.exe
Token: SeSecurityPrivilege	6684	7zFM.exe
Token: SeSecurityPrivilege	6684	7zFM.exe
Token: SeSecurityPrivilege	6684	7zFM.exe
Token: SeDebugPrivilege	5492	MSBuild.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 4700	3024	msedge.exe	82
PID 3024 wrote to memory of 4700	3024	msedge.exe	82
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 1452	3024	msedge.exe	83
PID 3024 wrote to memory of 3708	3024	msedge.exe	84
PID 3024 wrote to memory of 3708	3024	msedge.exe	84
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85
PID 3024 wrote to memory of 2604	3024	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/v3klpte2lomqn/ROBLOX
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef99446f8,0x7ffef9944708,0x7ffef9944718
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7616 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8132 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8648 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8820 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8972 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9136 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9144 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9400 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9868 /prefetch:1
  2⤵
  PID:6348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=9864 /prefetch:8
  2⤵
  PID:6356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:1
  2⤵
  PID:6648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10212 /prefetch:1
  2⤵
  PID:6660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10028 /prefetch:1
  2⤵
  PID:6736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9912 /prefetch:1
  2⤵
  PID:6808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10712 /prefetch:1
  2⤵
  PID:6884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10480 /prefetch:1
  2⤵
  PID:6892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10416 /prefetch:1
  2⤵
  PID:6900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,5336245670226016858,3271212802699965156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5996

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ROBLOX Cheat.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:6684
- C:\Users\Admin\AppData\Local\Temp\7zOC1A8CEE8\SoftWare(1).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC1A8CEE8\SoftWare(1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6244
- C:\Users\Admin\AppData\Local\Temp\7zOC1A8D8C8\SoftWare(1).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC1A8D8C8\SoftWare(1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6272
- C:\Users\Admin\AppData\Local\Temp\7zOC1AE9CC8\SoftWare(2).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC1AE9CC8\SoftWare(2).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:7128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC1A2A0A8\Manual.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
62KB

MD5
e2f5339567cadf1f367ae23c6ba2fe2e

SHA1
7b44030002c1b97bd95912ff696ec34d2335017c

SHA256
cb3c31fd9cb4a76d2a6b2d5c8177d121ad4c0bd1e3c0434d5eaacefa141c3ec2

SHA512
f6310fc1f14dc9067875cc67ddc57bb34a59b4772def6b355f0e23d951489361e4e732904ed7fbdded0a2dd0414e4fbdc74ad4c3287946113b956fd7246817b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
31KB

MD5
f46e467f0ce4cfe941d7ab027d90a82c

SHA1
320c6562c1d7d1ce7d157db36ff8a3344cfda052

SHA256
c99ccba9fb436fc1d57950c7fdea18ccabf5bcc81c37079ecb789e197f6b183d

SHA512
903de351ba6a5574acf883bb7e4dd6e1a5a9ca6aa0f4607b36fe78205ba0be5e25de112b6ba4901d8f301482fabc766469f418d80b7e072e5a7a2c9aafa38509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
19KB

MD5
77a7756774746386ef9ead66068e5e5c

SHA1
55692345ecefd7eefe4b8b78b377c23d27281ad5

SHA256
e2519bf5591b6053295770da0709fd923a5c679c543776bf35a12412d17add91

SHA512
33222b2b55bb28e340545fd123806dc0dc3177d8e5f7e8bf209128a34680c8af6210906f2170433d4b9cd1066b88b74eeec400aab89654024359907c6e0fbbd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3134b1e652aae48fb564fc8456a6f2c0

SHA1
5394acc3326f309cff93496d370611c0246e8e1d

SHA256
32a348c5396772b0c722e627f46378de9e40a302af7a7cba2c14060fe82e1308

SHA512
2b9334cae29b61b421915c108aa3a3be72c5b008956940bedafcee1308e1e10ad5a4b1fe5c12dc840c9a1bfe30eb0a3fc7271becdd30446de1025a31526f4087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
065bd6ed9b49adb3e3337af49ad76079

SHA1
d65023a0e00f8cf0d18b1de1217ea1e9069426c0

SHA256
ee7d9ae6dba751d004dafb565ae278524c96dbc9a69e690e12641eb3439e5601

SHA512
b0e2de0a4bb28326b9f4c02f9341b7f7dfaf0600c43deb8f538c58db15592998476108b06b71a9e88205068b7f2f198d0425b125e0e0b6b748c5397401a81145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
40KB

MD5
547a463ad15795a8f65a140bc3519e2b

SHA1
94ae6279a7b20f9d7210fdbd9a9a55faf3891607

SHA256
014362006042db08bf4eb59faf955d5319a4d5310303d8a3e6c2ac1b0cc0ad18

SHA512
0cb06f6639e86c813ec745ade4a93701df487ab4cbd771b989a8c3b59c6f65c5f381e2e4d4879b9112bcd26d3f43f146c08c236da8f91c2859eeacfc1ed6ceab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
98b6d548906d5119c8342c3e95f9cd11

SHA1
08db9929c6d657031787e558ffd34f58234db61e

SHA256
49694d7db0a099cc98d5566c02c940424824ba6312dac74ff4f0295466aca134

SHA512
e6ed5a6cc39ebd820513cd03f7a3769a710aaa5f5bff8ec46db7583ef9b60153795d682b3c8845a07f598d1bafdb2eea57bb915a725293d05984de7eada4039f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7d32dfeef0be4128bbb88f01ba9c2620

SHA1
54eddb35cad0ede449d1c88de1558bbce0f06321

SHA256
a2838f47203e029d274a6e7342dc8380f2aee10317466bfb0a46870de59b6996

SHA512
cc3592a5952f8eb92bcd84e13fb10ac3680e031bd90f8e244bf4572392c0ba095b0b48fc2d4c291e4d59d435f820e16ddb8d4b2e2b7471911a2bba31b32c4ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
8cbf2c423b653ef340d0609ce667cb38

SHA1
4dc9fe931b42ecc572f9001793df3f46e794b8df

SHA256
baecc8ea31ada5aedc09fad1906913c220fb2d7f0bec50e1e8e946ceb8f71e4f

SHA512
e8ec4e518d856542dd9d24fd09181c14d8f71a9a1282f5e9ab096bd8b1cdc1021d346869a69a8669cbdbed676c8870d110bccaa3618d3da0d8e20a49facbc399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
db79715abbe1d7b8b0ff2f23f351bc5d

SHA1
d8d4e017b2799645404358a3717d1510e5190cd1

SHA256
a0965eac6cd43d4ecda7c36cf7d07c3807fa55beee743c1b682c1bde4f48cbf2

SHA512
045c5aa64ee0d9d836c26d263e752758708533c71460b358ddb207f491eca8bb7c7813590a794edf6e066258adc813b3ac43b273128c2ceb3209a59312d24162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
513b523e2158539a66fcdb1e42618217

SHA1
22f63dc21181b318b4eaabb755785f6171e2912a

SHA256
1377e75032f19c22f3a1c14a1809e7298b1426bf295a1e756f7f2ec171cf056b

SHA512
fd1d2a1374b466364b12bf3eb678d49ee0107952f46ee0eae430cd342a0d99a17884c8b3780fe05d085588a29be61a969b6d91c43c72cda3cdc60f7e2dd55340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d6a5723578115b6c8deb6d471121baee

SHA1
92aa18f9d9655bbb54c609b7e1a30feedb71293a

SHA256
0419f9e52d2c1fb9de782d74d6549b5b73fff7bab83f8a716a6e210e688e8f70

SHA512
50fc80bad5ce9b63f49c227f5dbbcb182d4a0ff9953a3d0117ffe603a780dde0a36b1f62ce046e41c92ae64f156af0e4d00cc94d255411764595a99f7ff9c19f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
71da4aa65e938612d6286b2a8cac53ea

SHA1
3a942e52c800abe6936687278365e6d997aca7dc

SHA256
8c32d9a01060a7df8f998bd2dadaaf85ef7ccf86f3f6c5a7d62d5a008e5faee9

SHA512
ae230ca257576559c1ee6e024ff49df8ef56ca2c12813ed2d0a70a6e9836a178c953f1231233b989bcdfa283e4811a9c7a8d2eb38a020736512d898e399aaca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8e3402e043295a966428dd5f27c948d2

SHA1
7c4ccb479cd80532840b040acb894db02f160c57

SHA256
6608d8af03b31fb8b64dee87ee4023afa6c3721b995b76f0e3e26a7f58534d3c

SHA512
4711aa93b525d1b9f11b070a5d1b8ec40e308e6672a9b37e804ddcee0957e0015d5086b221e203ea57fb8128f7ece3300b4417b7b0fff152b849c740d048eff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
82e76a5f456a08fbc761d02ed6120826

SHA1
929aa464f96ae11d5755a49b2dd9053c8f95dcfa

SHA256
9704c15a8909d8eff786dc3a0b22d077b01a7d0f7b6b8a0f7f532bb2bb9c6150

SHA512
50e0024056219eb83df839afbcf25b00ae9d3e2c879a695fcd8cc2e7859c6dbb84be900057732f0376f572ab21c02f3639f695c998be771cb19991d8f11a274a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579829.TMP

Filesize
1KB

MD5
a6fe5e63d3fc87c2b64b7aef617445af

SHA1
472d71a5e2b6c0550d820fbe7e57b1911d5c1989

SHA256
bfdbf605b1a4e26b9d4789f53598dd8e93b979577612e4b74a5eacf091d37c59

SHA512
93920f558d36afab791ef29e4c4401c0688705e9c92aa6b7a7816e262a4047a3fae7486dabc2de150c90d0264f538c00a60a6d39fc23d76cc0c71f877bcec964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dc95b25b8ab5608796a21a139bedca38

SHA1
4844a69a8b818eb2d53a5d41cfda036f947a2920

SHA256
093845621b964b0e7316e8d11619c2e774282f2ccc5f0461651e8655e62d06b0

SHA512
eb804a1db2d8835a1be0f3ddf7062145c9748c157b6721e2d7b7e45b96731981e0354c9776dd6b6f1957cb0120fd462f88345d50d3e14232cb8e5bfb3925aca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0670d9c0fce1d27ba75dab2d1af357e2

SHA1
aa29b71b422127940080561967672c2631250cfc

SHA256
1cbd5492ede13e127c02f111c916dc1cc78bbf36d02fef6ab89c186746738ea7

SHA512
1fe58d38dd1f6c2d9d76830d96f2aa181c8cc9701a3fe8933679ee90b5a1347a7d62599379fd44c0afd6b1fb8a525dfa045dcf479ac5ca1507b4be6740ed9c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d5a76ff9ef63e7af2c15d37db0472e4c

SHA1
7fabe206c9e2e80c8dc2a400fc527f5b36f16b17

SHA256
016e3dac5839ae3abd4a40afe5806be09b84518420b533cd6e03111aafa0af90

SHA512
7eac4a2ca63292d0b204f0596ca63c047ee2a7b56daeb4ae2af7a75f4c49a7e1f08e672dae08eebaa678b0cb5011a152845fa59dc9b28758a08f645e67bbe084

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC1A2A0A8\Manual.txt

Filesize
302B

MD5
3d27bbc674b40b11c4bcf36bc64336a4

SHA1
419ff3a0b5c10bf15db4cf159ddae84c67491281

SHA256
e6d3931b5c68ed63a073e8e8327b16fd82c766a541d107602e800f00056cdeb6

SHA512
85b6704445a0983003992b462a2f13bcfc3f4d1e3ea8662fb0f49871682b05c44962ebbee1a321f47adf1c88c88f09c441688070b91d897ffb3c205a12542bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC1A8CEE8\SoftWare(1).exe

Filesize
1.2MB

MD5
21d03a07515c5a571236972c15624dfb

SHA1
eaa64143d8752cb82a1fea178b87c2a516839593

SHA256
b6d80ad1fb778375158ffcec8a66d0ee8975e23dab1c4c954fd439a0cb714961

SHA512
53c0f4e6362ec9334a7c794cb49a5387e0e49484e62450839793a944b388db9bf1f10a200a5c1f030d6a24092952a30b08af08faa06e86dfa067c33d405c669b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC1AE9CC8\SoftWare(2).exe

Filesize
841KB

MD5
98f8dbff94f1213b9c8caf46ebd67f59

SHA1
0822258b40167b543aacf6ed6b8db7b89ea94637

SHA256
c72f9f3ad6f10616fb4dd983b6388e91888e76ab6ee86e0a1a2fe7ca97b39212

SHA512
3ca4ea1ede519a9663305094a6c4afdc1db7ef9ec9a764aae805266aaf12fd26a8935fc9050364a7520e9459c401c04002c22a6b2faf8c5e65855991d59afdff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB39B.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
400KB

MD5
ad11b4097093386b8ae5068438833e7d

SHA1
edaa0e585999b761d629939fb2162369377ed964

SHA256
63d701a7451bc030cb2b9cd43e8bf1077949a6afbec3f59264899c0b120fcd29

SHA512
550ccd3cbbd6de5a32bf43a26f1cf3e9dad290ade3a36fdc52fbfcb6a8032de952bf4fbcb93ddcda1250550bbb5bddd5f0cb45465a6005fa38e4e988cd715af1

Download Submit
C:\Users\Admin\Downloads\ROBLOX Cheat.zip

Filesize
20.8MB

MD5
09af9ca4c1f339f6bc4995cddb2a792b

SHA1
56e5d90c9900b591efd7805be5398b4170839917

SHA256
5861f1f3b6da5b97442ff85fd1eb5ccc55ee8e0ca011f9da6d32f030b7871d11

SHA512
090966ee50d2bccd91be6e97a04c7894776fb42bb3684323afc3e9e036e46bbb554c297118c925f3003e3b57ae5d7a08bd2fd18ca357e858d22aa59b73b4835f

Download Submit
memory/3896-562-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/5492-611-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/5492-626-0x0000000007910000-0x0000000007AD2000-memory.dmp

Filesize
1.8MB

Download
memory/5492-589-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5492-591-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/5492-592-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/5492-593-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/5492-630-0x0000000007880000-0x00000000078D0000-memory.dmp

Filesize
320KB

Download
memory/5492-610-0x0000000006060000-0x00000000060D6000-memory.dmp

Filesize
472KB

Download
memory/5492-627-0x0000000008010000-0x000000000853C000-memory.dmp

Filesize
5.2MB

Download
memory/5492-614-0x0000000006E20000-0x0000000007438000-memory.dmp

Filesize
6.1MB

Download
memory/5492-615-0x0000000006970000-0x0000000006A7A000-memory.dmp

Filesize
1.0MB

Download
memory/5492-616-0x00000000068B0000-0x00000000068C2000-memory.dmp

Filesize
72KB

Download
memory/5492-617-0x0000000006910000-0x000000000694C000-memory.dmp

Filesize
240KB

Download
memory/5492-618-0x0000000006A80000-0x0000000006ACC000-memory.dmp

Filesize
304KB

Download
memory/5492-623-0x0000000006BC0000-0x0000000006C26000-memory.dmp

Filesize
408KB

Download
memory/6244-527-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/6244-529-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/6928-528-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6928-526-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7128-574-0x00000000015A0000-0x00000000015A6000-memory.dmp

Filesize
24KB

Download
memory/7128-564-0x0000000000B50000-0x0000000000C2C000-memory.dmp

Filesize
880KB

Download