Resubmissions
26-05-2024 03:32
240526-d3yp5aea86 1022-05-2024 22:59
240522-2yrb9acc83 1022-05-2024 22:58
240522-2x3c5acc58 122-05-2024 22:30
240522-2e7vwsbd99 5Analysis
-
max time kernel
553s -
max time network
536s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:59
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
Paperback.pifPaperback.pifPaperback.pifPaperback.pifdescription pid process target process PID 2668 created 3436 2668 Paperback.pif Explorer.EXE PID 1676 created 3436 1676 Paperback.pif Explorer.EXE PID 5036 created 3436 5036 Paperback.pif Explorer.EXE PID 3028 created 3436 3028 Paperback.pif Explorer.EXE -
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
S0lara Boostpaper.exeS0lara Boostpaper.exeS0lara Boostpaper.exeMicrosoftEdgeUpdate.exerundll32.exeS0lara Boostpaper.exeS0lara Boostpaper.exeS0lara Boostpaper.exeS0lara Boostpaper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation S0lara Boostpaper.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation S0lara Boostpaper.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation S0lara Boostpaper.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation S0lara Boostpaper.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation S0lara Boostpaper.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation S0lara Boostpaper.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation S0lara Boostpaper.exe -
Executes dropped EXE 37 IoCs
Processes:
S0lara Boostpaper.exePaperback.pifS0lara Boostpaper.exePaperback.pifRegAsm.exeRegAsm.exeS0lara Boostpaper.exePaperback.pifRegAsm.exeRobloxPlayerInstaller.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeRobloxPlayerInstaller.exeMicrosoftEdge_X64_125.0.2535.51.exesetup.exesetup.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exeS0lara Boostpaper.exePaperback.pifS0lara Boostpaper.exePaperback.pifRegAsm.exeS0lara Boostpaper.exePaperback.pifS0lara Boostpaper.exePaperback.pifpid process 4724 S0lara Boostpaper.exe 2668 Paperback.pif 3448 S0lara Boostpaper.exe 1676 Paperback.pif 4832 RegAsm.exe 3100 RegAsm.exe 2100 S0lara Boostpaper.exe 5036 Paperback.pif 2460 RegAsm.exe 1092 RobloxPlayerInstaller.exe 5012 MicrosoftEdgeWebview2Setup.exe 3300 MicrosoftEdgeUpdate.exe 3116 MicrosoftEdgeUpdate.exe 5096 MicrosoftEdgeUpdate.exe 4448 MicrosoftEdgeUpdateComRegisterShell64.exe 4424 MicrosoftEdgeUpdateComRegisterShell64.exe 2380 MicrosoftEdgeUpdateComRegisterShell64.exe 2936 MicrosoftEdgeUpdate.exe 2348 MicrosoftEdgeUpdate.exe 1284 MicrosoftEdgeUpdate.exe 4192 MicrosoftEdgeUpdate.exe 3180 MicrosoftEdgeUpdate.exe 4900 RobloxPlayerInstaller.exe 4124 MicrosoftEdge_X64_125.0.2535.51.exe 1308 setup.exe 4040 setup.exe 3656 MicrosoftEdgeUpdate.exe 5112 RobloxPlayerBeta.exe 2636 S0lara Boostpaper.exe 3028 Paperback.pif 2460 S0lara Boostpaper.exe 5084 Paperback.pif 4608 RegAsm.exe 3192 S0lara Boostpaper.exe 1676 Paperback.pif 744 S0lara Boostpaper.exe 2008 Paperback.pif -
Loads dropped DLL 18 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exepid process 3300 MicrosoftEdgeUpdate.exe 3116 MicrosoftEdgeUpdate.exe 5096 MicrosoftEdgeUpdate.exe 4448 MicrosoftEdgeUpdateComRegisterShell64.exe 5096 MicrosoftEdgeUpdate.exe 4424 MicrosoftEdgeUpdateComRegisterShell64.exe 5096 MicrosoftEdgeUpdate.exe 2380 MicrosoftEdgeUpdateComRegisterShell64.exe 5096 MicrosoftEdgeUpdate.exe 2936 MicrosoftEdgeUpdate.exe 2348 MicrosoftEdgeUpdate.exe 1284 MicrosoftEdgeUpdate.exe 1284 MicrosoftEdgeUpdate.exe 2348 MicrosoftEdgeUpdate.exe 4192 MicrosoftEdgeUpdate.exe 3180 MicrosoftEdgeUpdate.exe 3656 MicrosoftEdgeUpdate.exe 5112 RobloxPlayerBeta.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 33 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
RobloxPlayerInstaller.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerInstaller.exe -
Checks system information in the registry 2 TTPs 12 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
RobloxPlayerBeta.exepid process 5112 RobloxPlayerBeta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
Processes:
RobloxPlayerBeta.exepid process 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe 5112 RobloxPlayerBeta.exe -
Drops file in Program Files directory 64 IoCs
Processes:
RobloxPlayerInstaller.exesetup.exeMicrosoftEdgeWebview2Setup.exedescription ioc process File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\ExtraContent\textures\ui\LuaApp\ExternalSite\qq.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\ExtraContent\textures\ui\LuaApp\icons\ic-more-inventory.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\fonts\families\Inconsolata.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Controls\DefaultController\DPadUp.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Emotes\Editor\TenFoot\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\InspectMenu\ico_favorite.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Trust Protection Lists\Sigma\Fingerprinting setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\StudioToolbox\AssetConfig\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\VR\rectBackground.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-ingame.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\AnimationEditor\icon_whitetriangle_down.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\scrollbuttonDown.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\ja.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\kok.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\delegatedWebFeatures.sccd setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\MaterialGenerator\Materials\SmoothPlastic.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Emotes\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\VirtualCursor\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\ExtraContent\textures\ui\LuaApp\graphic\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\fonts\JosefinSans-Regular.ttf RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\PlayerList\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Settings\Players\Unmute.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\TopBar\emotesOn.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Trust Protection Lists\Mu\TransparentAdvertisers setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\AnimationEditor\FaceCaptureUI\StopRecordButton_lightTheme.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\CompositorDebugger\History.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\StudioToolbox\Voting\thumb-down.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\az.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\AnimationEditor\icon_delete.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\VoiceChat\[email protected] RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\VisualElements\Logo.png setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\btn_grey.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Controls\PlayStationController\ButtonL2.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\en-US.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\AnimationEditor\img_dark_scrubberhead.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Controls\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\VoiceChat\MicLight\Muted.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\v8_context_snapshot.bin setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\PlayerList\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\ExtraContent\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\icon_follower-16.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\VoiceChat\Misc\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\d3dcompiler_47.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Trust Protection Lists\Sigma\Staging setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\configs\DateTimeLocaleConfigs\de-de.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\AnimationEditor\img_eventMarker_inner.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\CompositorDebugger\dot.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\advClosed-hand-no-weld.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\particles\explosion01_core_main.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\StudioToolbox\AssetConfig\readyforsale.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\libGLESv2.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Trust Protection Lists\Sigma\Content setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\sk.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\SurfacesDefault.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Chat\MessageCounter.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Controls\XboxController\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\ExtraContent\textures\ui\Controls\DesignSystem\ButtonA.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\configs\DateTimeLocaleConfigs\ru-ru.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\content\textures\ui\Controls\DefaultController\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\ExtraContent\textures\ui\LuaChat\graphic\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\VisualElements\LogoBeta.png setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUEEBD.tmp\msedgeupdateres_lb.dll MicrosoftEdgeWebview2Setup.exe -
Drops file in Windows directory 1 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp MicrosoftEdgeUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sdiagnhost.exetaskmgr.exewermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sdiagnhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 sdiagnhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sdiagnhost.exe -
Enumerates processes with tasklist 1 TTPs 14 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 3792 tasklist.exe 412 tasklist.exe 632 tasklist.exe 5100 tasklist.exe 1232 tasklist.exe 4136 tasklist.exe 4712 tasklist.exe 3560 tasklist.exe 4012 tasklist.exe 1576 tasklist.exe 1652 tasklist.exe 2680 tasklist.exe 4516 tasklist.exe 1880 tasklist.exe -
Enumerates system info in registry 2 TTPs 14 IoCs
Processes:
chrome.exechrome.exeRobloxPlayerInstaller.exeRobloxPlayerInstaller.exewermgr.exesdiagnhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxPlayerInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxPlayerInstaller.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxPlayerInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxPlayerInstaller.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS sdiagnhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU sdiagnhost.exe -
Processes:
RobloxPlayerInstaller.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" RobloxPlayerInstaller.exe -
Modifies data under HKEY_USERS 44 IoCs
Processes:
MicrosoftEdgeUpdate.exechrome.exechrome.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608926280664311" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeRobloxPlayerInstaller.exeMicrosoftEdgeUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine.1.0\CLSID\ = "{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE} MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine.dll" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LOCALSERVER32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\version = "version-d8aa63d3654646d0" RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalServer32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe -
Runs ping.exe 1 TTPs 7 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2008 PING.EXE 3680 PING.EXE 3136 PING.EXE 3424 PING.EXE 4336 PING.EXE 1472 PING.EXE 4292 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Paperback.pifPaperback.pifRegAsm.exetaskmgr.exeRegAsm.exepid process 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 4832 RegAsm.exe 1676 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 3100 RegAsm.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1512 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
chrome.exechrome.exepid process 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exetasklist.exetasklist.exetasklist.exetasklist.exeRegAsm.exetaskmgr.exeRegAsm.exetasklist.exetasklist.exechrome.exeRegAsm.exechrome.exedescription pid process Token: SeRestorePrivilege 1904 7zG.exe Token: 35 1904 7zG.exe Token: SeSecurityPrivilege 1904 7zG.exe Token: SeSecurityPrivilege 1904 7zG.exe Token: SeDebugPrivilege 3792 tasklist.exe Token: SeDebugPrivilege 1652 tasklist.exe Token: SeDebugPrivilege 3560 tasklist.exe Token: SeDebugPrivilege 4712 tasklist.exe Token: SeDebugPrivilege 4832 RegAsm.exe Token: SeBackupPrivilege 4832 RegAsm.exe Token: SeSecurityPrivilege 4832 RegAsm.exe Token: SeSecurityPrivilege 4832 RegAsm.exe Token: SeSecurityPrivilege 4832 RegAsm.exe Token: SeSecurityPrivilege 4832 RegAsm.exe Token: SeDebugPrivilege 1512 taskmgr.exe Token: SeSystemProfilePrivilege 1512 taskmgr.exe Token: SeCreateGlobalPrivilege 1512 taskmgr.exe Token: SeDebugPrivilege 3100 RegAsm.exe Token: SeBackupPrivilege 3100 RegAsm.exe Token: SeSecurityPrivilege 3100 RegAsm.exe Token: SeSecurityPrivilege 3100 RegAsm.exe Token: SeSecurityPrivilege 3100 RegAsm.exe Token: SeSecurityPrivilege 3100 RegAsm.exe Token: SeDebugPrivilege 1880 tasklist.exe Token: SeDebugPrivilege 2680 tasklist.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeDebugPrivilege 2460 RegAsm.exe Token: SeBackupPrivilege 2460 RegAsm.exe Token: SeSecurityPrivilege 2460 RegAsm.exe Token: SeSecurityPrivilege 2460 RegAsm.exe Token: SeSecurityPrivilege 2460 RegAsm.exe Token: SeSecurityPrivilege 2460 RegAsm.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
7zG.exePaperback.pifPaperback.piftaskmgr.exePaperback.pifchrome.exepid process 1904 7zG.exe 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 5036 Paperback.pif 5036 Paperback.pif 5036 Paperback.pif 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 4608 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Paperback.pifPaperback.piftaskmgr.exePaperback.pifchrome.exepid process 2668 Paperback.pif 2668 Paperback.pif 2668 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1676 Paperback.pif 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 5036 Paperback.pif 5036 Paperback.pif 5036 Paperback.pif 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 1512 taskmgr.exe 4608 chrome.exe 4608 chrome.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
OpenWith.exepid process 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe 2912 OpenWith.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RobloxPlayerBeta.exepid process 5112 RobloxPlayerBeta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
S0lara Boostpaper.execmd.exePaperback.pifS0lara Boostpaper.execmd.exePaperback.pifdescription pid process target process PID 4724 wrote to memory of 3708 4724 S0lara Boostpaper.exe cmd.exe PID 4724 wrote to memory of 3708 4724 S0lara Boostpaper.exe cmd.exe PID 4724 wrote to memory of 3708 4724 S0lara Boostpaper.exe cmd.exe PID 3708 wrote to memory of 3792 3708 cmd.exe tasklist.exe PID 3708 wrote to memory of 3792 3708 cmd.exe tasklist.exe PID 3708 wrote to memory of 3792 3708 cmd.exe tasklist.exe PID 3708 wrote to memory of 3308 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 3308 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 3308 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 1652 3708 cmd.exe tasklist.exe PID 3708 wrote to memory of 1652 3708 cmd.exe tasklist.exe PID 3708 wrote to memory of 1652 3708 cmd.exe tasklist.exe PID 3708 wrote to memory of 1620 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 1620 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 1620 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 4360 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 4360 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 4360 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 3632 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 3632 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 3632 3708 cmd.exe findstr.exe PID 3708 wrote to memory of 3140 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 3140 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 3140 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 2668 3708 cmd.exe Paperback.pif PID 3708 wrote to memory of 2668 3708 cmd.exe Paperback.pif PID 3708 wrote to memory of 2668 3708 cmd.exe Paperback.pif PID 3708 wrote to memory of 2008 3708 cmd.exe PING.EXE PID 3708 wrote to memory of 2008 3708 cmd.exe PING.EXE PID 3708 wrote to memory of 2008 3708 cmd.exe PING.EXE PID 2668 wrote to memory of 4832 2668 Paperback.pif RegAsm.exe PID 2668 wrote to memory of 4832 2668 Paperback.pif RegAsm.exe PID 2668 wrote to memory of 4832 2668 Paperback.pif RegAsm.exe PID 2668 wrote to memory of 4832 2668 Paperback.pif RegAsm.exe PID 3448 wrote to memory of 228 3448 S0lara Boostpaper.exe cmd.exe PID 3448 wrote to memory of 228 3448 S0lara Boostpaper.exe cmd.exe PID 3448 wrote to memory of 228 3448 S0lara Boostpaper.exe cmd.exe PID 228 wrote to memory of 3560 228 cmd.exe tasklist.exe PID 228 wrote to memory of 3560 228 cmd.exe tasklist.exe PID 228 wrote to memory of 3560 228 cmd.exe tasklist.exe PID 228 wrote to memory of 4948 228 cmd.exe findstr.exe PID 228 wrote to memory of 4948 228 cmd.exe findstr.exe PID 228 wrote to memory of 4948 228 cmd.exe findstr.exe PID 228 wrote to memory of 4712 228 cmd.exe tasklist.exe PID 228 wrote to memory of 4712 228 cmd.exe tasklist.exe PID 228 wrote to memory of 4712 228 cmd.exe tasklist.exe PID 228 wrote to memory of 1028 228 cmd.exe findstr.exe PID 228 wrote to memory of 1028 228 cmd.exe findstr.exe PID 228 wrote to memory of 1028 228 cmd.exe findstr.exe PID 228 wrote to memory of 4632 228 cmd.exe cmd.exe PID 228 wrote to memory of 4632 228 cmd.exe cmd.exe PID 228 wrote to memory of 4632 228 cmd.exe cmd.exe PID 228 wrote to memory of 2072 228 cmd.exe cmd.exe PID 228 wrote to memory of 2072 228 cmd.exe cmd.exe PID 228 wrote to memory of 2072 228 cmd.exe cmd.exe PID 228 wrote to memory of 1676 228 cmd.exe Paperback.pif PID 228 wrote to memory of 1676 228 cmd.exe Paperback.pif PID 228 wrote to memory of 1676 228 cmd.exe Paperback.pif PID 228 wrote to memory of 3680 228 cmd.exe PING.EXE PID 228 wrote to memory of 3680 228 cmd.exe PING.EXE PID 228 wrote to memory of 3680 228 cmd.exe PING.EXE PID 2668 wrote to memory of 4832 2668 Paperback.pif RegAsm.exe PID 1676 wrote to memory of 3100 1676 Paperback.pif RegAsm.exe PID 1676 wrote to memory of 3100 1676 Paperback.pif RegAsm.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ryosx.cc2⤵PID:4588
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\" -an -ai#7zMap7756:142:7zEvent196922⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1904
-
-
C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:3308
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3201894⤵PID:4360
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "lovessatellitevendorspetroleum" Sit4⤵PID:3632
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E4⤵PID:3140
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif320189\Paperback.pif 320189\E4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2008
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit3⤵
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:4948
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:1028
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3201894⤵PID:4632
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E4⤵PID:2072
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif320189\Paperback.pif 320189\E4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:3680
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512
-
-
C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit3⤵PID:4872
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:4940
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:1564
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3201894⤵PID:4564
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "lovessatellitevendorspetroleum" Sit4⤵PID:4052
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E4⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif320189\Paperback.pif 320189\E4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5036
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:3136
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4608 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff94c7fab58,0x7ff94c7fab68,0x7ff94c7fab783⤵PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:23⤵PID:2912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:83⤵PID:1360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:83⤵PID:4652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:13⤵PID:1864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:13⤵PID:4504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:13⤵PID:4224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:83⤵PID:2680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:83⤵PID:4120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4508 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:13⤵PID:436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:83⤵PID:1744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3128 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:83⤵PID:928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 --field-trial-handle=1840,i,10015508017788340686,8819221823429251280,131072 /prefetch:83⤵PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7ff95b06ab58,0x7ff95b06ab68,0x7ff95b06ab783⤵PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1368 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:23⤵PID:3956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:3752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2304 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:1500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:13⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:13⤵PID:1036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:13⤵PID:3796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:2740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4576 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:13⤵PID:2476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3064 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:1240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:2704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4264 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:13⤵PID:4756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3144 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:4620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:4436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5376 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:13⤵PID:4508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5300 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:13⤵PID:3640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4596 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:13⤵PID:1152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:1176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5556 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:4004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6008 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:4648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:4192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5996 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:2864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:83⤵PID:4520
-
-
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:1092 -
C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeWebview2Setup.exe /silent /install4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5012 -
C:\Program Files (x86)\Microsoft\Temp\EUEEBD.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUEEBD.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"5⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3300 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3116
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5096 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4448
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4424
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2380
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzU2QkVBQUYtQjczNC00NEQzLTk4MUQtN0MyNzVEQzY4REJFfSIgdXNlcmlkPSJ7QTEzMzZDQ0QtQUM2Ny00NDQ5LTlDNTctQjAzMTUxQkJFN0ZGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxMDY0RkUwNS1DQ0RCLTQ4NzItQTYyMC03RDkxM0JBNEYxMTB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RHhPYmpIR2ErblJhMmF0QzN3bytJRXBDNzgrWlllQVVia1hwREMyY2o3VT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgyNzczMTkwMTIiIGluc3RhbGxfdGltZV9tcz0iNTQwIi8-PC9hcHA-PC9yZXF1ZXN0Pg6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:2936
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{356BEAAF-B734-44D3-981D-7C275DC68DBE}" /silent6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348
-
-
-
-
C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-d8aa63d3654646d0\RobloxPlayerBeta.exe" -app -isInstallerLaunch4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:5112
-
-
-
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"3⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=2072,i,16163599956867819533,8953700606898331913,131072 /prefetch:23⤵PID:4520
-
-
-
C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit3⤵PID:2524
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:412
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:3540
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:4516
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:1092
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3201894⤵PID:244
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "lovessatellitevendorspetroleum" Sit4⤵PID:5044
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E4⤵PID:4520
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif320189\Paperback.pif 320189\E4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3028
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:3424
-
-
-
-
C:\Windows\system32\pcwrun.exeC:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe" ContextMenu2⤵PID:2300
-
C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW91AA.xml /skip TRUE3⤵PID:3168
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"4⤵
- Checks computer location settings
PID:4052 -
C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit6⤵PID:748
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:632
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"7⤵PID:1720
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
PID:4012
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"7⤵PID:180
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3201897⤵PID:244
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E7⤵PID:4420
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif320189\Paperback.pif 320189\E7⤵
- Executes dropped EXE
PID:5084
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- Runs ping.exe
PID:4336
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\RegAsm.exe2⤵
- Executes dropped EXE
PID:4608
-
-
C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit3⤵PID:4940
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:5100
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:4984
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:1232
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:1424
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3201894⤵PID:2668
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E4⤵PID:1820
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif320189\Paperback.pif 320189\E4⤵
- Executes dropped EXE
PID:1676
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:1472
-
-
-
-
C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"C:\Users\Admin\Downloads\S0laraBoostpaper V3.1 BypassByfron\S0lra\S0lara Boostpaper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Ftp Ftp.cmd & Ftp.cmd & exit3⤵PID:4904
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:1576
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:788
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:4136
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:956
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3201894⤵PID:3060
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Exports + Wm + Balls + Hobby + Shared + Awarded + Stanford 320189\E4⤵PID:4984
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\320189\Paperback.pif320189\Paperback.pif 320189\E4⤵
- Executes dropped EXE
PID:2008
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:4292
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4140,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:11⤵PID:2904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3776,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:11⤵PID:4452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5248,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:81⤵PID:3980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5276,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:81⤵PID:1636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5764,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:81⤵PID:2144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5260,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:11⤵PID:4376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6316,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:81⤵PID:4356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5660,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:11⤵PID:4352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6848,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:81⤵PID:116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6852,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:81⤵PID:4004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5560,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:81⤵PID:3984
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5668,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:81⤵PID:4272
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5668,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:81⤵PID:604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6808,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5964 /prefetch:11⤵PID:4480
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2740
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=3580,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:81⤵PID:2560
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2824
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3524
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1284 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzU2QkVBQUYtQjczNC00NEQzLTk4MUQtN0MyNzVEQzY4REJFfSIgdXNlcmlkPSJ7QTEzMzZDQ0QtQUM2Ny00NDQ5LTlDNTctQjAzMTUxQkJFN0ZGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDOEU4NzQ0My1CNDE1LTQ5OTQtQjdDMS1FMTY5RDRENjVDQzB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTEwLjAuNTQ4MS4xMDQiIG5leHR2ZXJzaW9uPSIxMTAuMC41NDgxLjEwNCIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgyODE5NjkyMjAiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:4192
-
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1284" "1148" "1028" "1152" "0" "0" "0" "0" "0" "0" "0" "0"2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2740
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzU2QkVBQUYtQjczNC00NEQzLTk4MUQtN0MyNzVEQzY4REJFfSIgdXNlcmlkPSJ7QTEzMzZDQ0QtQUM2Ny00NDQ5LTlDNTctQjAzMTUxQkJFN0ZGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5MjBFQkE1MS0wRDY4LTQzQzktQTM0OC1FQkUzOTQyMEU4QkF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iMTI0LjAuMjQ3OC44MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjE0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MTUxOTUzMDMiPjxldmVudCBldmVudHR5cGU9IjMyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI0IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MjkwOTY4OTU1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3180
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5213591C-F205-4177-892F-9B2E654EC04F}\MicrosoftEdge_X64_125.0.2535.51.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5213591C-F205-4177-892F-9B2E654EC04F}\MicrosoftEdge_X64_125.0.2535.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:4124 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5213591C-F205-4177-892F-9B2E654EC04F}\EDGEMITMP_5AE1B.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5213591C-F205-4177-892F-9B2E654EC04F}\EDGEMITMP_5AE1B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5213591C-F205-4177-892F-9B2E654EC04F}\MicrosoftEdge_X64_125.0.2535.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1308 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5213591C-F205-4177-892F-9B2E654EC04F}\EDGEMITMP_5AE1B.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5213591C-F205-4177-892F-9B2E654EC04F}\EDGEMITMP_5AE1B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5213591C-F205-4177-892F-9B2E654EC04F}\EDGEMITMP_5AE1B.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.51 --initial-client-data=0x22c,0x230,0x234,0x118,0x238,0x7ff74c834b18,0x7ff74c834b24,0x7ff74c834b304⤵
- Executes dropped EXE
PID:4040
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzU2QkVBQUYtQjczNC00NEQzLTk4MUQtN0MyNzVEQzY4REJFfSIgdXNlcmlkPSJ7QTEzMzZDQ0QtQUM2Ny00NDQ5LTlDNTctQjAzMTUxQkJFN0ZGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyNTY4RDBBQS0wRjYyLTQxNDUtQTFENS1GMTI2NUFGOEQwMTh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI1LjAuMjUzNS41MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODI5NTk4OTEwMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgyOTYxMTkyOTIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5MDYwNzE5MDE0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy80YmUwNTlkNi1hOGFiLTQ1ZDQtYTEwNS01MTE1MDQ1Y2E4ZDA_UDE9MTcxNzAyMzkzMCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1CV3NDNDlLT2IyWTk1ZkhNU0YlMmI1SWFSRjdybnJYR1o4TUZmSjh1d2NhMlU0Y0VqSVI3WVMxOFBPZkp5OHd2MU1kNE1NV2FKUjBLWmMlMmJ4dlRDZGNYdWclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzM2NDIyODgiIHRvdGFsPSIxNzM2NDIyODgiIGRvd25sb2FkX3RpbWVfbXM9IjcwMTA0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTA2MDg0ODk4MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkwNzQ5Mzg5NzEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk1MTMzOTkwOTMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIyNTciIGRvd25sb2FkX3RpbWVfbXM9Ijc2NDU2IiBkb3dubG9hZGVkPSIxNzM2NDIyODgiIHRvdGFsPSIxNzM2NDIyODgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjQzODMxIi8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3656
-
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3788 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rklluil0\rklluil0.cmdline"2⤵PID:1948
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9803.tmp" "c:\Users\Admin\AppData\Local\Temp\rklluil0\CSCE352F17A8ABE4685A5116535E91E45B8.TMP"3⤵PID:5104
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ibbttlrm\ibbttlrm.cmdline"2⤵PID:1800
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9841.tmp" "c:\Users\Admin\AppData\Local\Temp\ibbttlrm\CSC5DCCA8E561DF449AB7E64744A8C36D70.TMP"3⤵PID:3444
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ex44hxoc\ex44hxoc.cmdline"2⤵PID:2220
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C78.tmp" "c:\Users\Admin\AppData\Local\Temp\ex44hxoc\CSC3E26D027364B4AD19C9458B9E24D49.TMP"3⤵PID:4272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD50e2485bb7949cd48315238d8b4e0b26e
SHA1afa46533ba37cef46189ed676db4bf586e187fb4
SHA2561a3d50530e998787561309b08a797f10fe97833e5a6c1f5b35a26b9068d8c3e8
SHA512e40fcfb989e370606469cb4ca4519ce1b98704d38dbfa044bf1ad4b49dbcaf39e05e76822e7dc34cb1bb8f52e8d556c3cbf3adb4646869aba0181c6212806b96
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
5.3MB
MD50469bb703f1233c733ba4e8cb45afda2
SHA1a07afd7ecf1d0b740b0e2eddfcde79dcf6e1767f
SHA25600314da401908da37ebfe9b642506cab81a4467c092719fcf007be045bc4a9e0
SHA512342c9629e705eb78c7bd52b3efe4a92b6a8bece9933956390450600635e4c0511ca96ccaa25e6920e9d25ccdf444dabfea7b09f8fbcba2f371655f87633b6d67
-
Filesize
164KB
MD51f2d54fae43a1c56826887b5ac8d619a
SHA174ff1f61d2eef32285ead4dd28e1616ca602f28e
SHA256a02230a8b4b12916050e1794cc9bd6a8e210c417d5ff4d74d0cbcaf65d1006ba
SHA512331af51b93b8a861f2909180bcafd41b4a264d37dba2310f1142b35b48238c95794904ea885bac40ca7aaa4909ab83853d9bc2b79006c0cc4dd0e7f4d90f2c09
-
Filesize
5KB
MD582054528e0a9ef522e5dd0820161fcd1
SHA19985db105456ceef2d554fe2985ff8f99b3cdda7
SHA256c7d2c7ab6ee6c04b5bab7c27d182bc6a0ed2d7cb9dbdc60a34a1c29038458115
SHA5121870c13ff26b6a76878390360cc3f36a16906188724743e2989193295dcf3f7c6935ba920ca9d52bfaa5cfe4ec9e1d3af00e1d91e39bfda23d04fd8f3666a9ac
-
Filesize
47KB
MD5310e1da2344ba6ca96666fb639840ea9
SHA1e8694edf9ee68782aa1de05470b884cc1a0e1ded
SHA25667401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
SHA51262ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244
-
Filesize
260KB
MD5fdad782779594b88f75d0c8b98ee5461
SHA11520799d62038ec29893793ed54dd70f698feeea
SHA25654709dfb8dce276535dc3155456490a4725b61f984aec053790f41fa52843830
SHA512bd1d7ad52d3b8ee79f4ce01194da7217922a581364244551a8b51ad21413e1156bce965750871af23035062de96d6848ff4d1f050c23e31b7bd4b45aee33e502
-
Filesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
Filesize
26KB
MD571c6e4dcb559033bffb685bfcac9213a
SHA125f961c9654c8b6ebdb65fc84b3e218fba9fe9fe
SHA25677dcc1c86b052027db7eeeec2d6bad3d899360ca512a5c8ff38db272e9cee5c9
SHA512f7065427eab4f90046446685101518f036d4472bafa41da4d0c80f30e3accb19d90f29c0483ff7b95a8282d1ef68b60457818e4c1457d307208b56d536e9ac68
-
Filesize
51KB
MD5588ee33c26fe83cb97ca65e3c66b2e87
SHA1842429b803132c3e7827af42fe4dc7a66e736b37
SHA256bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760
SHA5126f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04
-
Filesize
3KB
MD5abec6f87ee8d599dff2ea6e8d1505cff
SHA1b05a6448f1b1a41518b2b41d4902cd6179d26e55
SHA256db409768ad949ea1126870ed234fdd02d26a5582fb7a66c534c0acf32fe64b8a
SHA512a0532122962c2fbac5f05537da522fd2e9b33bb5236e22d71fd5fc9194e1f496026d5ea6cdfb22898a1b1ea1509fd36f6021e96ea82571ef221677c614171b2c
-
Filesize
6KB
MD5bd55aeaa4b9ebf9affcb5a2d3058ed00
SHA14defdf0cdb88449abfedc265af910096a2918b71
SHA256ae8e5f364d791580ec7735e1379515adacca6d06fa8501c1f2cb16f1db0140f6
SHA512205a66f62511d5564da722a2ed1d9e24beae05c45f7e64b7823ae9a4f712dac3f45cef17f5430cfe768bd561d10e261d88b7cd3b4f336269088ce1283df53ce0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5c0b81.TMP
Filesize2KB
MD5520350058e438dfbe523517e2bde0161
SHA141d615704f8802454315fcb4975a54a908525bdb
SHA2567a6f62bbdc905b7c955976ff6d1ded01def98f02042783b24c5d621a15247f27
SHA512b1b295663c3070b72b60868dfa177d532ebe041ddac2c1cae4d29437f3eaa7fc1d424e922befb9426f5ea1b8a09ed993c62d9e76295ad3a32ff4c7423510aee9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old
Filesize387B
MD57497286df0e55410a42abe3982bf0f4f
SHA19237f3d548a0e3d92a618378ef47e6f203997ba0
SHA256ebaa0e835bccc390c349ac3c4a9fc8c805e02e562917f0202184c46658a6b5c6
SHA5120a6801afd989a7ca75756fa9d615ffec3b777605263bb52b84609e76d6b39ad206bf80d39f6bc7ffbf94d493f6eccbb96a21b7e3c3a07ac518da0cb335c0a1bd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old
Filesize387B
MD5dd32a157227fec4106623853074d1e58
SHA17b9ea7c7db8d2d1f34ba9fc48b3e501e5278bb84
SHA2561ff91d1ee02cc80398966706adb3a89dea3c6b1785b07b69d64434525a3a1fe2
SHA512a8e481c310954e31983b56b918ff2899fe02704f705d44e6c2ffeacbdff03e337c83b89ea80424a50591c0e2b5ef8fee4697e70fcd83691d6508ed839ea14b53
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old~RFe5c72b7.TMP
Filesize347B
MD5d4e83e190a17ddca01574590448d160a
SHA1a3a092c5e6485180b17cdc921c547b99cf3505d9
SHA256f0f973aca7be885362feb6a1c140e44398a00f7e628737641fba8a8b370446ca
SHA5126612c0c28e2ebedbfee288464390710dd510c7d9a8c4b9e4b7c2f6dd23b7cd512c872ea1b7b20bd54f4811509f71f5aeadc24ffcb112840dfe97f567740155ac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
10KB
MD51c9c7156a31c136a98016231dcfffc20
SHA14284fd8e5790f5707e3bc8b9b64d629996bc8773
SHA25630ac83018643dc5e6f111373a96acf5b1fcdb4a1bbc06c8944d564fbd77c74b8
SHA5125ad28828b1151e69122c2712f9f17e687cad01a24de6b2be4fc16242bd9049d72d86ff75f9e8cda1fe180d42c2e8abe7e6ce372caa2a16a67f16736de1169251
-
Filesize
9KB
MD503f1e868f8d48429f16dc449d67b0c26
SHA123e63f219ca3f52ad968863b6a3268115eb9232a
SHA2566a88a3ce3b73eaa3ee488b36033aed6a66740d78b2195ad7bbf63e6b43b6c0e0
SHA512c243da553cce31a2e0e277748ca418d01b885e3bceb4859e43fd8710862ebdf76896df34dc2b5c0230e00d873631d766ab10f02c6e6fc4a32819b76b205cec48
-
Filesize
10KB
MD50583ac2f7d49470d3c70cd069f9fed1e
SHA1c00a147c6234eda90467d2f3a0d02f0abe8909cc
SHA25695b4cab7559aa9175c15d22ea12819c5a238ad31dbf862ff3e24b9b4cdbd1716
SHA5123db207c4a216be6a2347102f2ab8211ccd5db40d6a63a45219c6126ee1427ce16f00177dcd888f07dcfb7e672ddd7a5a8f311fb15cecfb7ec1a6dc5d06fe0794
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5f245a7a3adcae6538e6f9b758b41409c
SHA148c6d027851bddc567fe38e8e275680f51e580fa
SHA2568a8e77a28f42536d5d930693eda8a5c3090657bb5160f8b4e75395c6d7041260
SHA512b9345f4b5c29c0b257e85448250da1b28fdb138620fd8ff689ceb9d291ef0fd07ad6d715de2c209177030fccec631c9cfec621f46685f2c914176c76903e3b03
-
Filesize
1KB
MD57bc25648716a1b0b73d31d86905c8b23
SHA15dac53202d0b7238133d791db27b17561c91c126
SHA2563cb98b636035345e277f7f99ee93037afd3896983811349bca40356c46c417bb
SHA5122504dd11a5f361759854d815b7f5830525deb1550f908454c4246cb888cb55e6193bcd59f047ab7e78cf9f9460d437cb93008091fbd653724cc5ff177fa091fe
-
Filesize
2KB
MD520a0ae1d4289ad2a1e8659b390c88c95
SHA11fc29e0e0bbddc152b6d7d58b35705feff88232b
SHA256b901c81ac68fdd6276729b40bdc41457e76f6e7b1fe57c3e8eff14dc7419a903
SHA512f63db63fdce3169c0d6979a10178001e8f88cba29607e01058a0de9ef2eef04580f9f69e290fa2e96cc90f8f42c463c3b9afa36483125b4c53d039b3f0473ab0
-
Filesize
4KB
MD578ececf00cf29ca2023bda9d2e3a4f2d
SHA132c35eff3c431ab0f4375267897d83d6257279a3
SHA256c89bb56fef6eeb56193ddfd90eb363d231a97377c9a31b8f8a02dcff86c038ed
SHA51238fb7304f09f9c38c607ab846344bae8bb0817b387997bad694c7a71e5718378ff586801a7f8a4f06dc252aa933055c0d75362a7e9190f197ef06ee615894735
-
Filesize
5KB
MD5760ae8ab3b771fe56c424616efb75edd
SHA116b93bb01f308def2307e9b466f11e6416e8494d
SHA256ef54e22fbe9a589d95d33826d7690e3e37eb6a13b44c699bd148fda165069753
SHA512fdfcc8673ca56e206ac2056fd4d5b019a9431e2a59d0a22c0b2f5634772d36809f7a205c75bdabd8463d288900a8c46204fb878469e4852bf18c16bdf4b6159e
-
Filesize
5KB
MD570f4c1fd23150b8a1b9be55cb4a6ffaf
SHA105557c84a56ea2d5083088cc9dc0d075fcf0991d
SHA256d52607b4d74fce074100c0ddfb0a1f72f90dd34acdbd96d81257971352b02464
SHA51222a4ed27f967fa70a30752855f655ead186eee456b57f9066c3281f5e9dee9d9eccedbda2005109e54be6d15ef9a0131aabe9173aca04be081823d574b5b4ef3
-
Filesize
5KB
MD53d52c28e6674618c5195f0fe27d62ec6
SHA1b4e1114e91bd5bd2d3c2bc781d15572d4585825a
SHA2560fa5e91dffde0d43c05b5b457d9a022b76a9db10269c96cc22cdf2e24a59db9c
SHA51293f3ef8a0bd33003e65721fa685e16acddab792ce45c4784bc3fcaf06bd3a2f737dc5fbf12661b31a760deff4947d4291baaf71c8da8bf5c8ba18fc6161a4ffd
-
Filesize
5KB
MD5d8bcd2914a44d9e261f6217f79bb701f
SHA18d2fccb7c7914f00f75847b1c9ecbba3235dcff1
SHA256521b61f65d3718fc329da02265917532dfc8ec4bb6248360a346dca3e8d5c1d0
SHA512817790f609d4e34027ecbc88aeedfa6c267c999b9010d53f076aa07800477e74dab84165365380851d67b84be75f566be81d633d7c87f49b94db5876d31e0e20
-
Filesize
5KB
MD54b41aa5870a67da00d635fe1b997bb45
SHA1b79613a7d38fe219a28966bf45a64280c216a634
SHA256524ef08b4328f217ea745539b5d7f0660305623d5b830acc29893efe3c792ead
SHA512228a5d6256024cb871f038af5de786fbfdce06c3a4149be5498800ba3ad9fecf12b677c2841cc9b2c13979f924fab1e040230e612c03b58892d474307b0b7e93
-
Filesize
5KB
MD50b78b591887b145968cff23c62b70287
SHA12fa803b192e015df8a716817250abf0519c89835
SHA2565467394ed69f1094cec101522753541a75108ede52684ffab2da2664d87842c6
SHA512944f62b07fd2a43fae2983189d4676199fc52b8319fa8072d1004852c8c653e824bd37452124fadb092542781a81894b141e4daff7148d3f986487c38767499f
-
Filesize
5KB
MD5d27f6d6c17fb3c307f88117a30399dc2
SHA1033d2a6f932c684a10526ec079f85adab821acc9
SHA256947030b86b03d9c827692c810c71221c898d8ff52d5fde3b5b30274c1af9cbe2
SHA5120f3b56cb34fbb34426043c4375d0202d6f1e4a53aa01748b0bee0ac8958dbe80d81baa846a04715e02b8afbf58989aeae5433699cf0ba27f97a277b716b38724
-
Filesize
1KB
MD5c5f64e907c62e6a406378e98acd665f7
SHA17852586ef58f2e1f4426b4612b6de4a9e46fff72
SHA256c335fc2d615e294845797123b31cb096d3cd5843fcc7361716c91b74a2f69001
SHA512f82bedbe450ae6ff13444d121847144f6ede51e169e9ea104d62d690535086f1bfd5f3598a3e9feecedf926dc6fe7273eb971bfadff9e174de7cdbaca69e09fe
-
Filesize
3KB
MD564b4bcf7573ba76b676fd3490366dd82
SHA1bd550f8103cd1b0f8b5590ce45fa0bf22dd250a9
SHA25601fa867dec187de519bb5ba8cf7754c19c19d8827b3b5737da238fa30399a455
SHA512c7b6e46abbcb2569551b3ada256ab64dc23febc1b61641a69b4a3beff4c71871d27edd4edfeb1641a3c10c2eaa3d14dff6311145731db41e551c74921207983e
-
Filesize
5KB
MD5bcc50ece91fd6fe8489348601f3ec3f7
SHA18c4ceaff3f7b20401d15eae0fab9d0a8296669d2
SHA25688a026c8ebf4ed3d9b8ca1e4b20ddf734d1a7e87b9b93cf7d3579c9b3e553769
SHA5126e483157aa0f67630bdf0e56788553764edc56f4c3be99babc9a239d271a5a61142731cf7d0d737cc9ccf4b1667654f863f502ec2efb3d95f273c3cdb45f7790
-
Filesize
5KB
MD504aa16d9314f19077ad033e42939ee1e
SHA1bd14a54056695b07affbdc4300d4c8deea02f2f0
SHA256a7de80a4c5b3956ee5838706958251ba9b8018aa79b9db2625bdf1ecd91b30ef
SHA5126548ae4629ad1f20cb0878d0f3310ae3018ce5d8608696df6cdafcf97041439b08d54af06371a4bbf1045d5153893ad0b27ddeac2e5ddb99c2cbde3b20b9265c
-
Filesize
5KB
MD5e1e7b87da1105af1d7b002ff19602d0f
SHA1e6b2681043fc354ea6563a9fa1bdc14a5746be27
SHA256bb0a2dfaf24b43eecd7a82bafe0dce458b67d417038c5e2f68408ef831933583
SHA5127dac58f4fb452c168f70d864cfde0a0ea39ef0310595a8bd7293da2d6753fc6769a686d89b3803b80970980c0c861cb12eb77da2c0c1b9bbbca703ccfdd6af7a
-
Filesize
5KB
MD5910dbdcd8c562ebaad52b8992979dfe3
SHA1e7b6c34113d07099dc6f28b8e06640e0431f038d
SHA25681e4af81f848fa62189fe740c5e9b8a5fc8b442da7ded92f514c7fac4779a27f
SHA512ce0abc482bd6eb50559cc2d6e29af17fbad25315567c70bc6f1715aed7f143a953d19dab55e85fbc579fe079dc6314c6c459de6095e31853a5a309ea1f2ac044
-
Filesize
5KB
MD518cb28e3a85435fedcc546abeb34e5e9
SHA18657ef63a8294888d74183c4da59e558d965a3cd
SHA2560f974b6983a664440cc181fe554cb8163225ca890d54158743156d49d47746cc
SHA512b0201832f5feec208bd33217e379f3447a30a217a8c1a28286cdf2c60d85627ac508d2a314e8630eda0c6c0b1699bc7a005fc85c292ed51631fc9a334b8e6957
-
Filesize
5KB
MD5718b8364eb7cc7f8a045687acd703077
SHA132ccb4d83c1a87850aad6e51b99c481c5356a8c3
SHA25690b2b6f7370a79542330735a6b8721843572f774a3e4a223f6f7f02cd0ec1cf1
SHA512dcab63111da0b6a56028e8aa953f0fe0291ee44c1eff36921047b81f9cd4bbc82b4cbab31673274230ed0b789f54e9f851f4e3698b55d11e8e318222ac186247
-
Filesize
5KB
MD5024449ebefa1a2babf22a46169656009
SHA1ceb765e97da47a086448890eee20c89d1470c6a9
SHA256a46ba7ecd6101755d31a8d110799c22fc42da4175dff741721f47658800ca99c
SHA5129cee44bb9bb175b208cf02e236c725dbbf7c373fdc2a27e4fc5718487ec845a31d90d4360d284d691ffe2077371bb593b5c7fd73cc0c3cdc8324def91cedb3a1
-
Filesize
5KB
MD5e6fb42bf0da55ee5be9a8767b08b2799
SHA167aacb2e4f560cf547e9c6b71e0a3cca153d2fae
SHA25613faa50652ee3167aaf10d33bd80373f48befc19762578f60f5584dc0b496416
SHA512db142c787175990be8f4ad2426f6f6ffbd290d2920142bfce0b1ecc003460e9c8bfee9cc2a38e3daa6255fd1b2b85ff3a6b27728e2452e137cb2b18e9d2c0a8a
-
Filesize
5KB
MD5756edb76eb973d5cd3d02d6c639311b2
SHA1a776b1dbc2897220013576730fb76b46e9d44bc0
SHA256502f89d31eb2d24efdf2fe77c09fed278f72a19d419a0981124c500bf9758dcc
SHA512fb97c1fb6a8ffb2310432206803c62859fa4bf900092a8e4f837a5bda8e2001cb0683c8d454c96d5deb215fd4ac428e2b40dcc7dfc8ec6e38c62c109a0c853dc
-
Filesize
5KB
MD5ab76e5c5f28dec4aaee659292c90bbfd
SHA14cecd30e41524c1445fd1bbf939bfebccad20bea
SHA256462ee9ef75062375e3ad783f81930564713a5a8f3abf57dd03dbc55e75ca3bb9
SHA5122cb80349be033b525f268fbe5d276e41bcb24a0289008fbe3ce133f2221ff2a4f5d7df1bc7f46924419674c71d5d2256702fcbce17a005a2581c9f0b2de130a7
-
Filesize
5KB
MD5996b29c9bd1ea3d0a6fff5c42bf84d88
SHA1de1b5260f1ec6a72b2addac4de37ec719211dbe8
SHA25623217e9e1ac48505c81ee13cda264bee4862f375412f24290cee7e0f9845e6b8
SHA51276cb210c2a6b282ce090b01864409ea581ed0ec4894159cd080ab7c911e34bb9b0b27875750a88c1f1c3f2ca6c69517c2a441da84f76465d9206cd6dca03caa8
-
Filesize
7KB
MD58bb0229fbc289819bccdb273a3afb660
SHA1cb3ec511a060532eb21d36a29f1544319d3950de
SHA2569f88a52559221a27defe8539df16576238ab5c4bc5f78089ed3ab9d574f70632
SHA512d309caac340fb1c42f517f7abe57b9361f5907d41826bb4897f57c64d5bce7912c4fac503e53ed594c99beac4eb998e512183943b3f0fe590fbafd96586e2844
-
Filesize
7KB
MD58bcc1124cc76fc65c2f9c6a56cf789b1
SHA1c3908c89142cc01491f19bfdf4e540cf5083e61a
SHA256f68f309c84d3139d70b5a3f3091626598b665e18e520453f8cb864e455290ed8
SHA512ac6a56cc8346e55591258d131c89fa38ea0c1b8b4c4e5341b9c9eb0933a7a112a962fb549742ef616612744eb9f9b323f0eda1edf9362f9946fcd247ffaa6d5f
-
Filesize
7KB
MD59e8e30ffdbd27a01e6f15ac8516dadb5
SHA10c0e5f4515ed66825e5e7dd0a2b08fe6f02a0c6d
SHA2568ec180c3dcd121c24d623a1f2b931da27331f6bacd84657652635e6357733d1b
SHA5126e1b862aa2a7cb5913cac183d8efcddd719a3df366c1321f8f5acede6bf8cfd605ec9cde392503c51edbb9fd2a17e746a84bdef13e544b7dc9e45fe7350da059
-
Filesize
7KB
MD524677c4fe3d98d3118b40f90306145d4
SHA1ec2e0e4d3d3e4ef6430ec9bdb06e37d853ddbfcb
SHA256799836d03b971a97037ba39ce85c4a71e1db4f4b5897e6c564b5f0f98d0d37a9
SHA5128399fd9afe7da3c3c6f41497e4e5e624ffffc133c580abf404424ef34a5c80536c2eaf2ae0e2e1c79e7830b47ada5c8d2584bb5bbd63b6cbbca4df2a3474fb84
-
Filesize
16KB
MD56ff3d30a44c15a54cfc28b3361ce4a89
SHA191dc4395a1b8931bb933686bbcac90aa968dddbd
SHA2566929fbf167ffe28b0dc43ba75060db2c109ab67243ce6b8b792af40c41a89422
SHA5124c80eb9c930eb290e7e6b01f90a0df0dbf98b820f436d873c799b4c8b7553a70d5783f9c5c5d55c44e1534bf5d5ec554002f4c395fae145e884e06b3d9b5f7e5
-
Filesize
134KB
MD55a836e3d558b413d5052820f7244bb8c
SHA12d99cd4953b3c3f76586b84f7e4b940a548de555
SHA2566da388e4befbf8151f90cb4fd56956030f5f7efaad922841f045422f21d56278
SHA5121e9b7425b26299d7f658e4147d774d7880fa883adf90215aa50bff78a67659b15335f3f9a888f3fa68a40ad9a228dc68609204999956a6ce927bfa1c60f308be
-
Filesize
104KB
MD57811f1e3e30785d8382f1c332fc5296e
SHA15cd33f542e707a14bc50dbe5ac771f6bc8490794
SHA256eb54ef0126671c1dae42232faba7cc4d3be919065d71c0d91cf18783bf1f47ec
SHA5128ce705fa6fbe3a86afd9f90fa43a39887c3dca6192f0f2035a9b8ee8eb0012cd66f20dbcad74ad184b74850c29af2c60994a0aff569cd6fa949bd5a7c87e4bc4
-
Filesize
91KB
MD5f1e8bcdbc9b88c7ee7b0691d7fdcfe59
SHA171e3569f7d0817b742f0dc08d2f4c69e771ef6b7
SHA25665014da0f75d9590c679635526d4d2d4b6e354c83d494432cfec0af8df1f4357
SHA5128054a2e3069bae7e7bbc49ca17fa929b780ef144bd12f0c7baa4bcc12f69c6c37219f44692d24b1a2b9bcf4134426dfb2bd83911b805fd387c22188935daff72
-
Filesize
89KB
MD582a46de5a0951be4b65497302cabb634
SHA1bdcf82d4a65bb3fedb4acfc76f7057917de3c338
SHA2567d7c43255fdf191198b9fd51ee351b8b18e98e28433a394bea04df41057b06bf
SHA512862149fca1134275f67250e71724276a36af78704d089759a503e127376e617073f0b3fe8c0192fec207749865d07344fdb6a0e521bff0cbb7bdaa99540f85dd
-
Filesize
2KB
MD560ad21e008a8447fc1130a9c9c155148
SHA15dfa21d14dc33de3cc93a463688fe1d640b01730
SHA256bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9
SHA51242a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6
-
Filesize
547KB
MD5a07090d5536d6b68a5bc3e75fff9a39e
SHA1bd760ce01e9706fa87887f2c3c5901e81938c5c7
SHA256dbc3319572f168f2176553e4f9291e716f429d74d3661d3380066b3852d7d80c
SHA512ad2b772228b861dc7fa148d8e75a0f6657a87a0609258130bd0e383181f3c0c15edb9bf5904d52a84a7c7f164960bb1b587326598d466a1bc1f92fccb9c9e113
-
Filesize
53B
MD5649117fcfabe05263c63ccb56211b8f6
SHA153beaefca171ec76a8a76acf8a6603f2a9998305
SHA25631284ec08da6a7c1e1f2ec7f46ea71eaea583ff76445c1fc5448a900243c4ebf
SHA5129394d780adcec3a96e7f9df7de3632beae42dda51235d7465e9b9aafa0f5bbf7702ab1236b8ca9b53e45cca1f44d725f7c63ad521355616ea21b72ee9cef5984
-
Filesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
43KB
MD59c8565cc855b673b1c11e65d6cee5f14
SHA1996287ec020c9eedbb7ee034ca05d3983a209cb9
SHA256808cfac711efa0f7d2539f73ad5b5c345446826e0bf82bedc963d977e9e7063f
SHA512cee10f173fb860206f51e2a32d389166a898b2feca0c9525e02b37f8e2567eff2bdf6d59ac2e3ca8faa98daaefcc9b0e4e945653a2f24347bde376ca903e2fac
-
Filesize
47KB
MD5408990bddad38af7802d874fa4da7047
SHA1e457e365f4d02f41d3d75349ed7e462b30e9b9a9
SHA25694f9920c5c6af66f71add2a5fc3d426be413324421bb675927a8062281ba62b7
SHA5124c5995571c99f89d5fb71be35b0aba55109aaa5d585f5a0a7a46666ac612784f166e82d05d31791e8610a94f20c3dfbed03e7ad42f0f58ad5ec3395775e83b8b
-
Filesize
26KB
MD5f66df9350eb62c394551a6bdd06cca5f
SHA1a295696f4d3bf7e28ede17d7747ede52b5c85e3b
SHA25633e3af4770f6ee0d2334fc2091d564ee2f50e1a7931c757c19c15b7eeafcd762
SHA51234f4119f62efca0da1448ab8c091d5c3693618d5f5baa1f79a56bb46f71832e838e30f6d1e0ae97a0a595ad5e46926502c0cfe498dfd5999336502056efdc697
-
Filesize
169KB
MD5c06ebc0eea68bcab267bfeabde75cd41
SHA13af40fe9dc8db434ad81ef3406c49cdf23d0b9f4
SHA256bd8b204aff198d37ba7651479f9cfba9422e42098a2d562b2ae478f9bfc81ebc
SHA512741f436c5356615a0c7485d83b6b164a6d918b83e6e9739b0ee7e1bd2b21e76cde13a4fe54d56bbb294b8f16db12bab2bd66b56a0429d31af5f446cf23fef446
-
Filesize
49KB
MD58f84bc252992e4fa3b06bb05eec67c52
SHA14f65911c222852324a98e97628bc41f83fde7745
SHA2562b8a3d4b1bcff480b890fd95a36bf33fdfb63059ccd549adc4ef5179d6d353c9
SHA51236e1a89940a82de86116ee1fed19346c4dfb8db981251c3acae4ac3b0316f0c6b6e86828f01dcc3e9d08c51baad4cbc83aee98ee96aa99770cd9a69c25cc6a8b
-
Filesize
14KB
MD585b6db997894a7d7c070e7acfd0326a4
SHA13b637285b2f7f91ff765ebb6df0e6048ab8e21a1
SHA256bf3b5c8e9c9320fd4b128e6a5705622c0c131c34f3a31ae1a354c7dbf31fb96c
SHA512be60f2cd2b72c9b840aa9bf04d0ee98e54ce8353338c0d5da4ddf9ffeab35c86513367ae9003d04e5e3368b1e98ee9189e7572f7caff71935f69fd955dd43cf4
-
Filesize
53KB
MD5ff6b23fc636864301e3caaa659c3102d
SHA1de672686b47b9cfd4d5d0a1a57fe1cdc36a4fe2f
SHA25604a8f656ca840d0acfb56834daeab37ce72d16b25665dd68905ed4f6bec422ca
SHA51257765fceb856504d445d3ba07616f3b792b0e492ac8b3594a1e2ba25ed00a4c1268025d8ac5f38fe8300bb6460c08b6f8575c67f823e6e630c38e7629e08e4e6
-
Filesize
32KB
MD540a21dddd713ecdf3306d83a18213a53
SHA16c501b423664058245b19934099bc03be2b00952
SHA256c834a6d3c588cf565307cdb23d03bf1368ab156ad8db8a04745dea32c61c5f55
SHA51299616fc719a283fab96f5cdd04f87a4720aff5c3644b5dd97e556d72d3fc4125bda7519dfcd433fa3e8a3644be7bb93c180422e2ccb4320047c59b0ace3eddb5
-
Filesize
115KB
MD5a2615814de9ce0bcfbd6fbbe038e5e6a
SHA1e8203d41c30bed830020012ecf450b90419e0eb1
SHA2565a85484002f916c1e0170e839b7b0ca32850576db184ce49e9ac3f637393d415
SHA512dfbf084ed8726f9a377ef12214c2a60b077787df325d5265dda6231a9d8105cc624c8546f05ada7c390abf4eed1be7b475a4850039ec4026584dc8a523258752
-
Filesize
24KB
MD5929fa2089a55870ce01ada2d52e63db5
SHA182638a15eb5b7d04c1ab0a160dfe1b21aba87429
SHA256ebf8baf61e933b4169b0150bd467ac88be1a8827ec17b3711e7f75d13b30c34e
SHA512ad7bf0959879852a5fec061ee4bfd05fa207460c4269f9eff3844d8d60f22eeeaa2592a5518a3cf5d5b50e34c5a82023d73f05c2020f0cc92881fd1ee3860d81
-
Filesize
20KB
MD5397ab3b2031492e256d221c1961e3a01
SHA12c3e9f08365600a2819f2ee6d952071eba45c838
SHA2568e0955244347b5a84ae6d09c709a6abe9deb1aa847abf7988826e9512895253c
SHA512ae54d6f3ce07ba1ebfb40bc465804e14f9e08cc04d60716ec62376cffe9b6eee751295c2c8d90bbff4061142d072b135f4069c756f11f99dcd688c2b91037764
-
Filesize
55KB
MD5f9e720cc8b3308aa8b0dff4aa96491f1
SHA1d8ba45a08def76d7549ac86c30caf5f115e1a27e
SHA25637d903880f4af82b537f6469126a969e244c286011a992b4109b9c08b3cd5fa1
SHA512898160ae5cf404932fc33463fa3696089e14d49147aa5351bb310d76a3c5335a065d07e3e7a9131c9e16d99f9c89d727edab4bb2fc39fdf6239eddbee96656d1
-
Filesize
59KB
MD59d4703e19a97dfa9178d4264d92d4515
SHA12a751185bc895ef2af9c02768df93b62bca44e49
SHA25634ff2bfe827762b21e09694ab0fe9a9fcb599ad8bdaf34fa7484cb0517a97c7d
SHA512b61944485b3043844ffa70b43757983b7c3191421a07eab74baad94a7964579f0c1aedac3a269aa1b529c8678397898ae0a2bd05478dfba6c1bad228aca223cb
-
Filesize
75KB
MD520ef1d301be9e22304570001305102ee
SHA1bb4c617b4d99b454ea2691c56604f333d43bb4c2
SHA2566b49c8bc7977534acfbadc516ecf1e303461dec329addcb7134748bf23dddec2
SHA5129cc0166f2f96f22f7327ae0802da81ad1627f41cba3edb984b853629cab461aff8ad5228045afa911e213c523f9db818a013d6d7aa287c7d8d5e27c8370d9139
-
Filesize
36KB
MD5a554ca234387ef88491511c65a9e5fae
SHA118c20e58d5ded6a109c818711123d13a0e9071a2
SHA2561d832bd0360a2398726384362e58a6f1fc170c4d33f6df837d04639219defefa
SHA51210cead71a50bbe73ca55e2d571f5904b53df8d88b24b605b973140567a50785dea971a74a5591fe23336183502dac84f7f9b8f828cb97363603b4b11fb55a743
-
Filesize
27KB
MD579f47bcf459782c895862bafb5985ce5
SHA10c711e3bc359ed4fd1baf51290bc89ac3cf82a96
SHA256390a3f6fb97a16ddf13d05f4a35a06d151ac53c06ec932e7ad15b3a38303b504
SHA51242e50d396b90e712fa5416c8b25befbd73bdac580bd9732e86f7de4e4a4db87bf77c03c3304debe9d62af4de3d394260966dabc0bad60f5591e36b8f6e7414cd
-
Filesize
59KB
MD52a87824b6839b9c1e74053383e8c589f
SHA1eabf26bbfa5bcac53dc2d0e9a3ea01d12bb10c1f
SHA25652d824faebd98180be0b41307dc90fca13f519531a3b425ef90af7e11293182e
SHA512d0a3d1c79c82b8f4aaaea8d80d176df72671088d930229e38c0f0ba455130e22cf24e262a418cd60be569e9acafcbd3a9eafb0da5e11f1a5bfdf04a9788bd182
-
Filesize
9KB
MD5ef06ee1188bc07b1564d57c6c30f01a8
SHA10c366b220a788e51ce922707a59210f3129c0c32
SHA25604e9867bc75846c9af9e3157a78a09a994d332a877f6fffb4edb379006ff1e63
SHA512dec4730166b0a5a584bff18747f84ff8e8eb33731358e7cc1d7aa539ecfef1ba4d6b6690673dd267dacc8eb43516d7443f785d43a1639dba3a235831206dbf2c
-
Filesize
62KB
MD54220adf178308e0ed78717499b9a2496
SHA134bf3553751d91de402a22656c93075f43147ce4
SHA25655a1e1f9a1c61f1e5e96be62207361f5b5986d0cee14a470d18cc5364f3d3733
SHA512785bd573813af3ba8e2a5c80d302eeb43eb2d9e4b2c43ebe443d823951576308c4cf87591ad86457b1f255b63b5a1a67f2139728f549c1ab118e72fe1d391780
-
Filesize
40KB
MD5babf7ec18005b270895bd6570ad9c296
SHA1ced46bf7cf2ef2f691ca65eb15eb56c5fdb9c800
SHA256638d0601bb3c6e209b052d9643e5301c1e4b7c660c33da662655cb1022899fb5
SHA51262b8cadbb38f9259e61a3523158ba2cda6c58ac9a25a9136bef1deb6b3a4b3bb8f9012db812ba713582683f669cf271bc557ee26e43f86fc4030fc656b3b5e09
-
Filesize
67KB
MD5ccc80b4733cdc5525890811f6f947c61
SHA148abd4cabc7e596c90e03e2c4f29fa7bbf4a3799
SHA256080a42a16a17fd03ec5ab98b1eab6c82b46afdc57e2f726e27d81c3aa602c437
SHA51223bffa197c5c0c736dfcec397f5af5f475c8bf3873bc36c3c817fd290134a1956ad05b1fbcc49d835b9f168a49dd584574a92383bfd148c25f6c8e38ce49a3c5
-
Filesize
7KB
MD5de2a5aa29259b38578aac3e4aa778fe5
SHA1fab585c35270ee9e4eeeeacc44a415ded878fa01
SHA256f907d5cab006a0b9f9e293995e146ad8411fdc334b8b00ae49178fb7fae84173
SHA512847c02b2676b629c1e71bee2a2cff9ab4488c88cb63251d18ffe68f61ff87c0813c23ec2f6b5e16264f89e0d471634449f6e2db6524d8068d7ea1d452adf321e
-
Filesize
29KB
MD50dd882aa8bf9f0234d78fe674673372c
SHA1e3c9b584a5665c3f33c11f41fa947154a97ec988
SHA256464f63af78ecfa7078942816cbb67f078d166f1d09c78a8fc8605eca7413b7cc
SHA5122f971ff49560a1c27c2d143c9fb5aeb3e472a5f8a4394994fad19e9bced618bc917186f85470f5a87fe58d66075197314156842d4cfb8dab31e72cfe69dd4025
-
Filesize
63KB
MD50f4803213016184cc9662b02b46d1042
SHA1df97647918cbb59adf7d4988ee3ac66aec4bd5b4
SHA2561621ee5ffc525f54c176fa50f3af4c10f611fccc3adc1ba2beae308e690b486e
SHA512655624b9302fa519ad9d626e693641194fcd7b4635c04b05df550311f8789f6d630c4fdf07d102019610a89de1e5a20c247cc748c012ecf2e19500a8b256af19
-
Filesize
67KB
MD53266826f5c17795eba89ce11da48ee82
SHA146521685a9eb28996efaa14d753e5b814dd75754
SHA256d985082071231b1afd871cfeb318a201d016541e0598fe4048805554e18621be
SHA51277e5a933e5c54262b2be95ab6377d3e0f5a241168e8fb903172ee2c5eca81872ea85525bb276dee41eaf8b506af828db95f84222ad976259c9ca7faad77b5758
-
Filesize
47KB
MD5c4c006b7deaab1e31d1421445d8b49e3
SHA13c206ad20b74f9cb4f9edc59486e36096576dbbc
SHA25651f2f66d29b019b4919c1678ae494af565935f57f8ed30d948c472a99d6e14c4
SHA5126b735cf8f33c913490c149dca398ab0c04622cfb719559d9495cdb84586a6428327abe0a93bfdf9917118f5d7884c471974800a6d9ea6a09e5cfeb219cefff24
-
Filesize
66KB
MD587ac6d40ea981b77863126d17bd70585
SHA1de7d02f22ef23a80ee8063cb84adc3cf00294011
SHA2560b379c6cc9fce908ad746803adac04caa83d8fe55676a1cb8f8d0d9c18a9b492
SHA512099a3500ca07d6f47b30b36d56247918114700f8b345fda46de650a6bef6f6731ec60c0e73f2e906bf653b5628014e8713139f9571bff33196c60eae51fff487
-
Filesize
85B
MD5b21e7b4104d10f9b66e23f21233e9809
SHA1c657b11e0ebcd67a001307a8317f39d2a7aef0c4
SHA256cdff1c6ce4ffa0551d6d3d26904b7c47998dd423ed478e8690f4b3b0754d4186
SHA512f6f776de9943500d4c87c1efa1fc37247a8bad38fc8f25ae89a02b3015bbf7dedaafe4c0c17917e1672ad432fd0a19a102dceae1c2a4b21a2607f1dab919be70
-
Filesize
5KB
MD57a4ce0c561d328f486f731eb75f38f67
SHA14db17866d13a560c0d4b3bf0ad48225208b7dccd
SHA2565c0469088db87c2775a851c6889b5ce1344b3175a8c98c2eb66bfb02a2543eb8
SHA5121e14efa6d22ebcff9f1566b115719a57d67ff4476209797d19b4514bfae0c3fa5fd3b0e4c319e677dae3b3beb9f865f7ed6a0898832556c420f398b1b63910fd
-
Filesize
30KB
MD54dc405d6b7d21d19c3880f994dd24269
SHA14343cb615c6615cd0cdbbb19663f8b7b0ed64a47
SHA256db9a262280405546eabfaa2e0564006ec430302353742fe7cfa2a0fd9a46999d
SHA5128721fce59a18e95a2eec3c9d1cea6583cdd9b0deb933c1deba3580908dd8beeb1872e4e6330db10c6d48ac5987feed2f8c1da26ca7ec8945e487f0ddd42c9dd0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
21KB
MD5ecb7450336c4278dc1f0e1a3c1b04ad7
SHA1045f115c6c63f6d6f32f0b8f0cf773c28a7d4fc8
SHA25627182c882ac947493c1ed1736fc5d3dc5ad4edc5fa21e883946bb781fdb387a3
SHA51294a7dad133cfbae86c711800ccfe190a829b819dc4cab563072fc2b54b99880a2fa236128fcba9373ca1fe53f0c1fee8442a0a6c20cb1841399b19a1fa67f4e1
-
Filesize
66KB
MD55bce95dee7cad385f82eaada5551bb99
SHA186958fa4bf3786891428fe5ef8c72ae4efaa0937
SHA256dfda4fe7e801d43324b02cdc9608a35111fc9178229ef7c11c0b16ae6a0aa311
SHA5122bd6964d2ea42eafa80d1e5edb50b5fc991245b35cd48147d8c17247d358ce73b9d43e9f7b22877eb3741700149e63fe9828a0efc223336f27d56a746c06f4c6
-
Filesize
5.7MB
MD5de55b55ef62fb1b17eb3c103f4fc0cef
SHA137dd8656942325f787227b65fc829508d48723a8
SHA25662f90bf759c32cd1d916627a4456b547a90641e7e94e3cbb2be6ff2033275f0b
SHA5127c312975a4825ddaaea32ffd48a80a5216a2a385c4556811a16accceee743122c396a41fd5a5b442689603ddbd4a3d0806c29f4e1b251fa824b9fb69abcf81b6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.5MB
MD5a4abac6f3af681f17b1b0c65ae1fa35b
SHA140d14caee91ce7976a9fb8f844fb758b8875f4ff
SHA256a5e7c79dfb044c11c2725bc0c82ebc62da8d122925c811c83dfa79e7b61584d3
SHA512607a76cfe7fef00e2fe9408ada36feac0e8ee80140a30e106dac2fdf3184e9ccba9268f5b8a01622d40d22e3134490ff33b8e1fac3090d627cff384a5973e1e5
-
Filesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
Filesize
46KB
MD5a0d818a7f172a4c61214e7cbd8fabb4e
SHA11718ea4ba5fca4f8e12c1450bd7b8b9a58391801
SHA256218b3b8fa85426523339b6d10f27a2a1f38f98c5623f8b71a5121ef27684369c
SHA512dded92cc729566eb9aee7a16730c4051faa5fc7f90d3d2e1c4821c04e3ae21bc6284f0e948efdc6c62b926474f5b85b8f532b7d4ae6235f52f2959fd192838ca
-
Filesize
100KB
MD594f74065ee604f1695247996a6d407b4
SHA178785ce01d605650a51498d05bc18a17c8450637
SHA256624db1764f6a7d97e2b66198b752a94e14e3a653a815d43505cbca78427f6c1a
SHA512efffccc6a4041d1a563cb65fe4786e694969d86149aa6b59ac81a420fef63b9b6806033dc73ee12b76dbd7cb44864774abe8e036b857b36228f9da12e584bdc2
-
Filesize
5.4MB
MD51f1ae0eb12231c472e7ab91a6df69b75
SHA13c0b44b3b18df2b9be602b551828b27604ef51fe
SHA2564f62cee70845d868afed5b5ad66d7fdc582e6f9b6b69e6d5e9c52a1e24105b60
SHA512470162197814bcefa52a24e1e88264827e4a6aaa0a110a41f35cd9c392bdcf6bd7deb25bf5c9ccbb994ba01b8a7851d7f5025ed5b9ad9f4ba94eabcf7f103abd
-
Filesize
65KB
MD579134a74dd0f019af67d9498192f5652
SHA190235b521e92e600d189d75f7f733c4bda02c027
SHA2569d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e
SHA5121627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3
-
Filesize
10KB
MD5d7309f9b759ccb83b676420b4bde0182
SHA1641ad24a420e2774a75168aaf1e990fca240e348
SHA25651d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f
SHA5127284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d