hxxp://https[//]www[.]roblox[.]com/games/2753915549/?privateServerLinkCode=80141195310492238306769456043437

Analysis

max time kernel
1025s
max time network
1026s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 07:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://https//www.roblox.com/games/2753915549/?privateServerLinkCode=80141195310492238306769456043437

Score

8^/10

adware discovery evasion persistence stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Executes dropped EXE 48 IoCs

pid	Process
3300	RobloxPlayerInstaller.exe
4912	MicrosoftEdgeWebview2Setup.exe
3112	MicrosoftEdgeUpdate.exe
4848	MicrosoftEdgeUpdate.exe
4040	MicrosoftEdgeUpdate.exe
4348	MicrosoftEdgeUpdateComRegisterShell64.exe
2896	MicrosoftEdgeUpdateComRegisterShell64.exe
4696	MicrosoftEdgeUpdateComRegisterShell64.exe
4768	MicrosoftEdgeUpdate.exe
2420	MicrosoftEdgeUpdate.exe
468	MicrosoftEdgeUpdate.exe
4656	MicrosoftEdgeUpdate.exe
2612	MicrosoftEdge_X64_125.0.2535.67.exe
4036	setup.exe
4520	setup.exe
3960	MicrosoftEdgeUpdate.exe
5044	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
3052	MicrosoftEdgeUpdate.exe
6112	MicrosoftEdgeUpdate.exe
5268	MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
1996	MicrosoftEdgeUpdate.exe
4752	MicrosoftEdgeUpdate.exe
4680	MicrosoftEdgeUpdate.exe
2488	MicrosoftEdgeUpdate.exe
5536	MicrosoftEdgeUpdateComRegisterShell64.exe
3716	MicrosoftEdgeUpdateComRegisterShell64.exe
5892	MicrosoftEdgeUpdateComRegisterShell64.exe
5952	MicrosoftEdgeUpdate.exe
5308	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
5600	RobloxPlayerBeta.exe
4508	RobloxPlayerBeta.exe
2556	RobloxPlayerBeta.exe
3816	RobloxStudioInstaller.exe
3764	RobloxStudioInstaller.exe
5592	MicrosoftEdgeUpdate.exe
5416	MicrosoftEdgeUpdate.exe
5200	MicrosoftEdgeUpdate.exe
6368	BGAUpdate.exe
6388	MicrosoftEdgeUpdate.exe
5036	MicrosoftEdgeUpdate.exe
6424	MicrosoftEdge_X64_125.0.2535.67.exe
3092	setup.exe
5584	setup.exe
6624	setup.exe
6648	setup.exe
6968	MicrosoftEdgeUpdate.exe

Loads dropped DLL 47 IoCs

pid	Process
3112	MicrosoftEdgeUpdate.exe
4848	MicrosoftEdgeUpdate.exe
4040	MicrosoftEdgeUpdate.exe
4348	MicrosoftEdgeUpdateComRegisterShell64.exe
4040	MicrosoftEdgeUpdate.exe
2896	MicrosoftEdgeUpdateComRegisterShell64.exe
4040	MicrosoftEdgeUpdate.exe
4696	MicrosoftEdgeUpdateComRegisterShell64.exe
4040	MicrosoftEdgeUpdate.exe
4768	MicrosoftEdgeUpdate.exe
2420	MicrosoftEdgeUpdate.exe
468	MicrosoftEdgeUpdate.exe
468	MicrosoftEdgeUpdate.exe
2420	MicrosoftEdgeUpdate.exe
4656	MicrosoftEdgeUpdate.exe
3960	MicrosoftEdgeUpdate.exe
5044	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
3052	MicrosoftEdgeUpdate.exe
6112	MicrosoftEdgeUpdate.exe
6112	MicrosoftEdgeUpdate.exe
3052	MicrosoftEdgeUpdate.exe
1996	MicrosoftEdgeUpdate.exe
4752	MicrosoftEdgeUpdate.exe
4680	MicrosoftEdgeUpdate.exe
2488	MicrosoftEdgeUpdate.exe
5536	MicrosoftEdgeUpdateComRegisterShell64.exe
2488	MicrosoftEdgeUpdate.exe
3716	MicrosoftEdgeUpdateComRegisterShell64.exe
2488	MicrosoftEdgeUpdate.exe
5892	MicrosoftEdgeUpdateComRegisterShell64.exe
2488	MicrosoftEdgeUpdate.exe
5952	MicrosoftEdgeUpdate.exe
5308	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
5600	RobloxPlayerBeta.exe
4508	RobloxPlayerBeta.exe
2556	RobloxPlayerBeta.exe
5592	MicrosoftEdgeUpdate.exe
5416	MicrosoftEdgeUpdate.exe
5416	MicrosoftEdgeUpdate.exe
5592	MicrosoftEdgeUpdate.exe
5200	MicrosoftEdgeUpdate.exe
6388	MicrosoftEdgeUpdate.exe
5036	MicrosoftEdgeUpdate.exe
5036	MicrosoftEdgeUpdate.exe
6968	MicrosoftEdgeUpdate.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\notification_click_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\notification_click_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\EBWebView\\x64\\EmbeddedBrowserWebView.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\!BCILauncher = "\"C:\\Windows\\Temp\\MUBSTemp\\BCILauncher.EXE\" bgaupmi=13DFB5A13E5C412787CD542B93E0B365"	BGAUpdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxStudioInstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
704	camo.githubusercontent.com

Checks system information in the registry 2 TTPs 30 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

pid	Process
5044	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
2556	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\UGCValidation\UGCValidation\util\Types.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GameVotesRodux\Promise.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TenFootUiTesting\React.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\InspectAndBuy\Actions\SetFavoriteAsset.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\react\hooks\utils\useAfterFastRefresh.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.3.4\LuauPolyfill\Symbol\.robloxrc	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\__tests__\UnitTestHelpers\mountStyledFrame.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VideoProtocol\MessageBus.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VoiceChatCore\Dev\JestGlobals.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\QueryRefetch\UserProfiles.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactServices\Dev\JestGlobals.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\studio_svg_textures\Shared\InsertableObjects\Light\Large\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\InGameMenu\Thunks\OpenSystemMenu.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\JestReporters-edcba0e9-2.4.1\JestTypes.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\Utils-debf4142-0.3.1\Utils\memoize.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaChatV2\navigation_pushBack.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\ContactList\Analytics\EventNamesEnum.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\RoactRodux\RoactRodux\shallowEqual.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AvatarExperienceSearch\Rodux.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\SharedUtils\SharedUtils\getDefaultValue.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ErrorReporters\Cryo.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GamePlayButton\GameLaunch.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\textures\DeveloperInspector\Inspect.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\BuiltInPlugins\Optimized_Embedded_Signature\LayeredClothingEditor.rbxm	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\DevConsole\Components\CheckBoxDropDown.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\PlayerList\Actions\RemovePlayer.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ServerUI\React.lua	RobloxStudioInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\Field.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\UrlBuilder.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\PurchasePrompt\Network\performSubscriptionPurchase.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\PlayerScripts\StarterPlayerScripts_old\CameraScript\RootCamera.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\fonts\arialbd.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Emotes\Large\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\Locales\am.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\textures\StudioToolbox\Banners\MonsterCat.png	RobloxStudioInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\Merge\Merge\typedefs-mergers\input-type.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\VR\buttonHover.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUFEFA.tmp\psuser_64.dll	MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\textures\MenuBar\icon_chat.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\textures\ui\Controls\DefaultController\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\InspectAndBuy\Flags\GetFFlagIBGateUGC4ACollectibleAssetsBundles.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\RbxDesignFoundations-e7e73050-fd2e104b\RbxDesignFoundations\tokens\Desktop\Builder\Light\Global.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-3.5.0\RobloxShared\RobloxInstance.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\InGameMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_uk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\studio_svg_textures\Lua\TerrainEditor\Light\Large\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\NetworkingAliases-96003ad7-0.6.3\Util.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\React.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\TerrainTools\mtrl_mud.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\TextChatCommand.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\textures\ui\LuaChat\9-slice\scroll-bar.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\LuaPackages\Packages\_Index\2D-Collision-Matchers\2D-Collision-Matchers\returnValue.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\StyleWidgets.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-c5a2369e0d774f91\ExtraContent\scripts\CoreScripts\Modules\PurchasePrompt\Thunks\resolvePromptState.lua	RobloxStudioInstaller.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxStudioInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxStudioInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxStudioInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxStudioInstaller.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\125.0.2535.67\\BHO"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\ = "PSFactoryBuffer"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine.dll"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusSvc.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CurVer\ = "MicrosoftEdgeUpdate.CoreClass.1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\MICROSOFTEDGEUPDATE.EXE	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}\ = "ie_to_edge_bho"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4248	WINWORD.EXE
4248	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe
3948	chrome.exe
3948	chrome.exe
3300	RobloxPlayerInstaller.exe
3300	RobloxPlayerInstaller.exe
3112	MicrosoftEdgeUpdate.exe
3112	MicrosoftEdgeUpdate.exe
3112	MicrosoftEdgeUpdate.exe
3112	MicrosoftEdgeUpdate.exe
3112	MicrosoftEdgeUpdate.exe
3112	MicrosoftEdgeUpdate.exe
5044	RobloxPlayerBeta.exe
5044	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
3052	MicrosoftEdgeUpdate.exe
3052	MicrosoftEdgeUpdate.exe
3052	MicrosoftEdgeUpdate.exe
3052	MicrosoftEdgeUpdate.exe
5600	msedge.exe
5600	msedge.exe
2064	msedge.exe
2064	msedge.exe
5320	msedge.exe
5320	msedge.exe
6112	MicrosoftEdgeUpdate.exe
6112	MicrosoftEdgeUpdate.exe
4752	MicrosoftEdgeUpdate.exe
4752	MicrosoftEdgeUpdate.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
1992	taskmgr.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
376	msedge.exe
376	msedge.exe
5256	identity_helper.exe
5256	identity_helper.exe
5308	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
2460	RobloxPlayerBeta.exe
2556	RobloxPlayerBeta.exe
2556	RobloxPlayerBeta.exe
2556	RobloxPlayerBeta.exe
2556	RobloxPlayerBeta.exe
5592	MicrosoftEdgeUpdate.exe
5592	MicrosoftEdgeUpdate.exe
5592	MicrosoftEdgeUpdate.exe
5592	MicrosoftEdgeUpdate.exe
3764	RobloxStudioInstaller.exe
3764	RobloxStudioInstaller.exe
6292	msedge.exe
6292	msedge.exe
6572	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6872	msinfo32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe
Token: SeShutdownPrivilege	3864	chrome.exe
Token: SeCreatePagefilePrivilege	3864	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
5320	msedge.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe
3864	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4248	WINWORD.EXE
4248	WINWORD.EXE
4248	WINWORD.EXE
4248	WINWORD.EXE
4248	WINWORD.EXE
4248	WINWORD.EXE
4248	WINWORD.EXE
456	SearchApp.exe
6572	mspaint.exe
6572	mspaint.exe
6572	mspaint.exe
6572	mspaint.exe
5864	LogonUI.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
5044	RobloxPlayerBeta.exe
368	RobloxPlayerBeta.exe
5308	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 624	3864	chrome.exe	85
PID 3864 wrote to memory of 624	3864	chrome.exe	85
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 2608	3864	chrome.exe	86
PID 3864 wrote to memory of 1732	3864	chrome.exe	87
PID 3864 wrote to memory of 1732	3864	chrome.exe	87
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88
PID 3864 wrote to memory of 788	3864	chrome.exe	88

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://https//www.roblox.com/games/2753915549/?privateServerLinkCode=80141195310492238306769456043437
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaa5fab58,0x7ffbaa5fab68,0x7ffbaa5fab78
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:2
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4432 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3264 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4420 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1680 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4280 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4944 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1808 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4176 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4352 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4976 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4624 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4112 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4648 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5248 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4340 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=1888 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4968 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5032 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4364 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5684 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5752 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6492 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6380 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6276 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=5708 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=5752 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- - C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
    MicrosoftEdgeWebview2Setup.exe /silent /install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4912
  - - C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Sets file execution options in registry
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Suspicious behavior: EnumeratesProcesses
      PID:3112
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4848
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4040
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4348
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2896
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4696
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDNBRDBFRkYtOTI1Qy00QkU3LThFMkEtRkZCRUVGNDMxRDQ2fSIgdXNlcmlkPSJ7Nzg3QkYwMDAtODM2Ni00RTQ0LTk1ODUtMTI2RkU1RjY4OTcwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswRjM2RTdDRC1GQUE2LTRDOEYtOUQ5OC03MTZFQjI1NzhFM0N9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7c0c5REo2TTNmWmtQN0NFTFdHbkR4Qyt3YVJhUUV1RUx2TElmWGsvTUF0Yz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY1MDUxNDI4OTMiIGluc3RhbGxfdGltZV9tcz0iNjMzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        
        PID:4768
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{D3AD0EFF-925C-4BE7-8E2A-FFBEEF431D46}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2420
- - C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe" -app -isInstallerLaunch
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6204 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=6184 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6220 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=6492 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=4952 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6452 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6592 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4404 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=5752 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe" roblox-player:1+launchmode:play+gameinfo:WPzgCefpt7d8hCTI1TfzhV0D8iH4CiQ4CaL1Zd63YjufXbGjN-PbDk5fEhfJTdxJNh3Zhp_teJCcxb7XtFg4kKmy-GFBCWC54t9vemuz2UmubOqScvwplKduEJaRstXSk60yosaWIrixVYyLWBe4hGGyLH2pQk_PgCjpKRVQRfQxEW78RhKgAUDhoFpuejOs-7oNYiQITwmk46Yx3zPTSZGVwhKAY--zSRoNT5vRb8A+launchtime:1716709892256+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1716709764246004%26placeId%3D2753915549%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3D6be15e35-867b-4790-bc1d-4ea38aa18b42%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1716709764246004+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=6200 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=6556 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6832 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6876 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=6996 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=6156 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=6932 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=5676 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=7060 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=7064 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=6224 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=6532 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=872 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=6968 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=6408 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6652 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6896 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=6188 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=4116 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=6552 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7212 --field-trial-handle=1896,i,8958541257820773861,11645681276940700174,131072 /prefetch:8
  2⤵
  PID:1820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc 0x4fc
1⤵
PID:4020

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:468
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDNBRDBFRkYtOTI1Qy00QkU3LThFMkEtRkZCRUVGNDMxRDQ2fSIgdXNlcmlkPSJ7Nzg3QkYwMDAtODM2Ni00RTQ0LTk1ODUtMTI2RkU1RjY4OTcwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDNTZEMzA2My1GQTA5LTQ1OUQtQkVEMS0wRTI3MTg4ODg5M0R9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7c0c5REo2TTNmWmtQN0NFTFdHbkR4Qyt3YVJhUUV1RUx2TElmWGsvTUF0Yz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTEwLjAuNTQ4MS4xMDQiIG5leHR2ZXJzaW9uPSIxMTAuMC41NDgxLjEwNCIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY1MTAwMzI5ODEiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:4656
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E1729F57-4416-40E0-89C3-BC24E9B49D03}\MicrosoftEdge_X64_125.0.2535.67.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E1729F57-4416-40E0-89C3-BC24E9B49D03}\MicrosoftEdge_X64_125.0.2535.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:2612
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E1729F57-4416-40E0-89C3-BC24E9B49D03}\EDGEMITMP_2FE61.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E1729F57-4416-40E0-89C3-BC24E9B49D03}\EDGEMITMP_2FE61.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E1729F57-4416-40E0-89C3-BC24E9B49D03}\MicrosoftEdge_X64_125.0.2535.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4036
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E1729F57-4416-40E0-89C3-BC24E9B49D03}\EDGEMITMP_2FE61.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E1729F57-4416-40E0-89C3-BC24E9B49D03}\EDGEMITMP_2FE61.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.112 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E1729F57-4416-40E0-89C3-BC24E9B49D03}\EDGEMITMP_2FE61.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff668e84b18,0x7ff668e84b24,0x7ff668e84b30
      4⤵
      Executes dropped EXE
      PID:4520
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDNBRDBFRkYtOTI1Qy00QkU3LThFMkEtRkZCRUVGNDMxRDQ2fSIgdXNlcmlkPSJ7Nzg3QkYwMDAtODM2Ni00RTQ0LTk1ODUtMTI2RkU1RjY4OTcwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5OUQyMjZENS0xNkUzLTQ0MzMtQjA5Ni1GMTY5MkRBNzZERDh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI1LjAuMjUzNS42NyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjUzMDc5MjU1NSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY1MzA5NDI0OTgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2OTcyNTMyNDQyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzA4ZTc3MC01MWEwLTRkMDAtYTJmMy1kNzM2ZGI4NTg2ZTc_UDE9MTcxNzMxNDY2NiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1iaHQxWXRJanklMmZ4MWx1ak9xdFBUcWRFSlE1MXMyb1RZZDRwQnNlUm5JWXZoT25zM2I2SGJEdTBFM0tqQk5lVmJxMDF0bjRBeiUyYjJ3MExIZTBMcDZZTlElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzM4MDg1OTIiIHRvdGFsPSIxNzM4MDg1OTIiIGRvd25sb2FkX3RpbWVfbXM9IjM3NTMzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjk3MjYzMjM1MiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY5ODc1NjI1NjIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc0MzM3NjI2NTUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxNTkzIiBkb3dubG9hZF90aW1lX21zPSI0NDE1NyIgZG93bmxvYWRlZD0iMTczODA4NTkyIiB0b3RhbD0iMTczODA4NTkyIiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI0NDYxOCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:3960

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte4c4d7e0hc800h40e6ha3cah2eb104f793fb
1⤵
PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x98,0x12c,0x7ffb97d146f8,0x7ffb97d14708,0x7ffb97d14718
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6186379365899756238,7416814696707838591,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6186379365899756238,7416814696707838591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6186379365899756238,7416814696707838591,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:5808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5884

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6112
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01BF181-C91A-4EE7-9498-178B49769FEC}\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F01BF181-C91A-4EE7-9498-178B49769FEC}\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe" /update /sessionid "{2BEDBFFE-1AE6-4AAC-AF53-3D99E069BC1B}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5268
- - C:\Program Files (x86)\Microsoft\Temp\EUFEFA.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EUFEFA.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{2BEDBFFE-1AE6-4AAC-AF53-3D99E069BC1B}"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4752
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:4680
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:2488
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5536
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3716
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5892
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkJFREJGRkUtMUFFNi00QUFDLUFGNTMtM0Q5OUUwNjlCQzFCfSIgdXNlcmlkPSJ7Nzg3QkYwMDAtODM2Ni00RTQ0LTk1ODUtMTI2RkU1RjY4OTcwfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7NjQ3QzFDN0YtN0EyMi00RjE2LUJDMUItNUU2RjBEOTUzMEUwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIxLjMuMTg3LjM5IiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzE2NzA5ODYyIj48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDI4MzAyOTgyMiIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      PID:5952
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkJFREJGRkUtMUFFNi00QUFDLUFGNTMtM0Q5OUUwNjlCQzFCfSIgdXNlcmlkPSJ7Nzg3QkYwMDAtODM2Ni00RTQ0LTk1ODUtMTI2RkU1RjY4OTcwfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntBRUE5OTlDQS1BNjMzLTQxQ0MtQUJDNy01QzdGOTkyMDBGRjV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xODcuMzkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5OTMzMTA4Njc1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk5MzMyNjQ4NzUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMjYzODc5ODQ0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMjIxNjY3ZGMtYmIwYS00YWNiLTgzM2QtNWExMWRjODhhOGJmP1AxPTE3MTczMTUwMDcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9TlRUaHVndHE0QmlPZUklMmZrQ203QmFVVmlYaTB2c2pBYzNzVGpXblgybXZsY0xtSjBmaWhRUXpDZ2x2dkpYMklneDFrVEIzMFRIeFhxMmhoZkVtb0FDdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMjYzODg5NTQ0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8yMjE2NjdkYy1iYjBhLTRhY2ItODMzZC01YTExZGM4OGE4YmY_UDE9MTcxNzMxNTAwNyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1OVFRodWd0cTRCaU9lSSUyZmtDbTdCYVVWaVhpMHZzakFjM3NUalduWDJtdmxjTG1KMGZpaFFRekNnbHZ2SlgySWd4MWtUQjMwVEh4WHEyaGhmRW1vQUN3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTYyMTA0OCIgdG90YWw9IjE2MjEwNDgiIGRvd25sb2FkX3RpbWVfbXM9IjI4NzYzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMjYzOTE5NTM1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMjY5MDk5NjA3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PHBpbmcgcj0iMzAiIHJkPSI2MzI1IiBwaW5nX2ZyZXNobmVzcz0ie0I2RDU4NjYyLTYxNTYtNDNFOS1CNDM5LTM5MDFDRkE3QkIyNX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNTg2MTEwOTA5MDQ1NTAwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMzAiIHI9IjMwIiBhZD0iNjMyNSIgcmQ9IjYzMjUiIHBpbmdfZnJlc2huZXNzPSJ7MzE1NEE3NkUtQzRGNC00MUNCLUE4NzktM0REOTBBRkE3NDdBfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMjUuMC4yNTM1LjY3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjYzNDkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9Ins2MTUxNkQ2MS0xQ0VDLTRBNzctQUUyMy02NTNBRTAwNEE2NjN9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb97d146f8,0x7ffb97d14708,0x7ffb97d14718
  2⤵
  PID:5432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=15178417553408 --process=176 /prefetch:7 --thread=5020
    3⤵
    PID:7164
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5432 -s 484
    3⤵
    PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4056 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1312 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2644 /prefetch:2
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6308 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3480 /prefetch:2
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14400163692678967659,16562553312666126048,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:6916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5780

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc 0x4fc
1⤵
PID:2008

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:4984

C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:5308

C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5600

C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4508

C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe
"C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:3816
- C:\Users\Admin\AppData\Local\Temp\Roblox\RobloxStudioInstaller_DDB10\RobloxStudioInstaller.exe
  C:\Users\Admin\AppData\Local\Temp\Roblox\RobloxStudioInstaller_DDB10\RobloxStudioInstaller.exe -relaunch
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3764

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5592

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:5416
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEE4MTEzNkYtMjgxNC00OTgzLUIyQTEtQTVDMURDRjQ3QjI5fSIgdXNlcmlkPSJ7Nzg3QkYwMDAtODM2Ni00RTQ0LTk1ODUtMTI2RkU1RjY4OTcwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkE5REE3QkMtNkM5RC00QjE1LTlFMzItNkRDQkYwNjgyREI3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0Q2anhQZVVtS2ZoOHl0eTZGMDdZeE0xZVpESC9UVjZGUVQyZmZEaVp5d3c9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyOSIgaW5zdGFsbGRhdGV0aW1lPSIxNzE0MTM1OTkyIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNTg2MzM3MDY4MjE5MDE5Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDA2OCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMyODkzNjE0MTciLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:5200
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42FA1970-7FC8-4B76-BCA1-0EF32F310090}\BGAUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{42FA1970-7FC8-4B76-BCA1-0EF32F310090}\BGAUpdate.exe" --edgeupdate-client --system-level
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:6368
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEE4MTEzNkYtMjgxNC00OTgzLUIyQTEtQTVDMURDRjQ3QjI5fSIgdXNlcmlkPSJ7Nzg3QkYwMDAtODM2Ni00RTQ0LTk1ODUtMTI2RkU1RjY4OTcwfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5NkU5QjBDOC00MTNDLTRFNzktOTA4MC02NTI0MjNGMDEzOUN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7MUZBQjhDRkUtOTg2MC00MTVDLUE2Q0EtQUE3RDEyMDIxOTQwfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMi4wLjAuMzQiIGxhbmc9IiIgYnJhbmQ9IkVVRkkiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzMwNzgwNDI2NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMzA4MDU1MDIyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzODk3OTk5NjcxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNWYxOTU2MTItMzg0YS00OGVhLTg0MDgtYjRlZGU5ZGM1NmJiP1AxPTE3MTczMTUzNDQmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9TkNLdVJCaUh4YiUyYlg5N2haRXNkbWJ4Ukh0WWFvNnYzUFBERVB3JTJmMkk3SEZBMmpLcndLaW1ZTjdCdGJlOG02UktIT2xLenE2bVo4YmlVMWRwTE1Oc1VnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg5ODAyOTQ5NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNWYxOTU2MTItMzg0YS00OGVhLTg0MDgtYjRlZGU5ZGM1NmJiP1AxPTE3MTczMTUzNDQmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9TkNLdVJCaUh4YiUyYlg5N2haRXNkbWJ4Ukh0WWFvNnYzUFBERVB3JTJmMkk3SEZBMmpLcndLaW1ZTjdCdGJlOG02UktIT2xLenE2bVo4YmlVMWRwTE1Oc1VnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTgwNDQ0NDgiIHRvdGFsPSIxODA0NDQ0OCIgZG93bmxvYWRfdGltZV9tcz0iNTMwNTgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg5ODA2OTQwMSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzOTA1MzI5NTkxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM5MTEyMDE2MzciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMTMyIiBkb3dubG9hZF90aW1lX21zPSI1ODk3NiIgZG93bmxvYWRlZD0iMTgwNDQ0NDgiIHRvdGFsPSIxODA0NDQ0OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTcwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:6388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8a682249h1dadh4468h8e12hec03f2b89fc9
1⤵
PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb97d146f8,0x7ffb97d14708,0x7ffb97d14718
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18383854077568454953,5142523333805353336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:6284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,18383854077568454953,5142523333805353336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6292

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResizeCompare.emf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:6660

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\CheckpointRead.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:6872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6676

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:5036
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\MicrosoftEdge_X64_125.0.2535.67.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\MicrosoftEdge_X64_125.0.2535.67.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Executes dropped EXE
  PID:6424
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\MicrosoftEdge_X64_125.0.2535.67.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Registers COM server for autorun
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - System policy modification
    PID:3092
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.112 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.67 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff66e0a4b18,0x7ff66e0a4b24,0x7ff66e0a4b30
      4⤵
      Executes dropped EXE
      PID:5584
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:6624
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.112 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.67 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff66e0a4b18,0x7ff66e0a4b24,0x7ff66e0a4b30
        5⤵
        Executes dropped EXE
        
        PID:6648
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkI0RTg0RjgtMjREMS00RDQwLTkwMjktQ0JGRTM3RjUzRDEwfSIgdXNlcmlkPSJ7Nzg3QkYwMDAtODM2Ni00RTQ0LTk1ODUtMTI2RkU1RjY4OTcwfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InszQTYyQUU0Qy1GQjkzLTQxMEYtOEVFQi1GMTA4NzI3ODY5REZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RDZqeFBlVW1LZmg4eXR5NkYwN1l4TTFlWkRIL1RWNkZRVDJmZkRpWnl3dz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4Ny4zOSIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJJc09uSW50ZXJ2YWxDb21tYW5kc0FsbG93ZWQ9LXRhcmdldF9kZXY7UHJvZHVjdHNUb1JlZ2lzdGVyPSU3QjFGQUI4Q0ZFLTk4NjAtNDE1Qy1BNkNBLUFBN0QxMjAyMTk0MCU3RCIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40NiI-PHVwZGF0ZWNoZWNrLz48cGluZyByZD0iNjM1NSIgcGluZ19mcmVzaG5lc3M9Ins3REQxNDIwMi1BMkRDLTQ3NTYtQkRBOS1EQzZCMTU4QjAxMzZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iMTI1LjAuMjUzNS42NyIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNjExODQxNjI4OTkzMDkwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzk4NzQ1MTg0OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzk4NzUzMTc2NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDA0Nzg1MTg5MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDA2NzY3MjEzOSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQ1NTU5MjUyNzIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI3NDIiIGRvd25sb2FkZWQ9IjE3MzgwODU5MiIgdG90YWw9IjE3MzgwODU5MiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjIiIGluc3RhbGxfdGltZV9tcz0iNDg4MjEiLz48cGluZyBhY3RpdmU9IjEiIGFkPSI2MzU1IiByZD0iNjM1NSIgcGluZ19mcmVzaG5lc3M9Ins1MjJBNDVDNi1GMUZGLTRDOTUtOURCNi01ODgwNzVFQTg5REV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEyNS4wLjI1MzUuNjciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZT0iNjM0OSIgY29ob3J0PSJycmZAMC45OCI-PHVwZGF0ZWNoZWNrLz48cGluZyByZD0iNjM1NSIgcGluZ19mcmVzaG5lc3M9InsyQjQ0MkZFMy1DMkFELTQ4RDctQTI0Ny1GQTdENzlDQTBEQkV9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:6968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6904

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:6736

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3f92855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\Installer\setup.exe

Filesize
6.9MB

MD5
6aafb8c6ce355a80514a2f3abc13a9ad

SHA1
2db9a7dde9086dd415ee41b4b109a3311f088c8c

SHA256
adbd1a10981cccd00918d924ec93a9d6f29d16190691f6984b199f9a42cc0cb6

SHA512
c9f23c68b7385d8edfdbff7b80a6064ac8eb879384796e7f54b094155feb32a86836c4a910c323128a4a6b3b15b7fbe1a9b0b56153ff0e71c96dce7776b0f848

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{1FAB8CFE-9860-415C-A6CA-AA7D12021940}\2.0.0.34\BGAUpdate.exe

Filesize
17.2MB

MD5
3f208f4e0dacb8661d7659d2a030f36e

SHA1
07fe69fd12637b63f6ae44e60fdf80e5e3e933ff

SHA256
d3c12e642d4b032e2592c2ba6e0ed703a7e43fb424b7c3ab5b2e51b53d1d433b

SHA512
6c8fce43d04dd7e7f5c8bf275ba01e24a76531e89cc02f4b2f23ab2086f7cf70f485c4240c5ea41bf61cb7ceee471df7e7bdc1b17dfdd54c22e4b02ff4e14740

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.187.39\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe

Filesize
1.5MB

MD5
1f744e1c802560affe8b308640b6ab67

SHA1
bbfecefdf891c11d573760d4dabdf86091463421

SHA256
fa7d8a8cae60ab620d2aa887de62039d2647e4f5c1c649d75f0f52e14ec11a99

SHA512
780440aa518397e52bb429b5a8e7697bf0096db0fe343cd40a541b60f34ad4976ef7fc2204737d296a8c1fbed2951496503dc50158d6455617c67483f87f3015

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5414431C-1026-49ED-BB9E-A982C5B23DF9}\EDGEMITMP_7FD79.tmp\SETUP.EX_

Filesize
2.8MB

MD5
047f51993bde0b7add44035ad3c5fb35

SHA1
7d56baff27be27df8c2d3ef2bfbfd14e84d2b70f

SHA256
83adcbedcb0e3d11e39c5c276b0314ead57925b164670fd4f59a909729d4e6b2

SHA512
14132d71e02b97fdcae7cbb0d3d4c92c1f7c044ab63248d0a717e41e64ce96e1c533e1fe77a85fe93c8d12866f30ccfa5bd0a37a516b5d223973980ebf54e603

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
7a160c6016922713345454265807f08d

SHA1
e36ee184edd449252eb2dfd3016d5b0d2edad3c6

SHA256
35a14bd84e74dd6d8e2683470243fb1bb9071178d9283b12ebbfb405c8cd4aa9

SHA512
c0f1d5c8455cf14f2088ede062967d6dfa7c39ca2ac9636b10ed46dfbea143f64106a4f03c285e89dd8cf4405612f1eef25a8ec4f15294ca3350053891fc3d7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
60dba9b06b56e58f5aea1a4149c743d2

SHA1
a7e456acf64dd99ca30259cf45b88cf2515a69b3

SHA256
4d01f5531f93ab2af9e92c4f998a145c94f36688c3793845d528c8675697e112

SHA512
e98088a368d4c4468e325a1d62bee49661f597e5c1cd1fe2dabad3911b8ac07e1cc4909e7324cb4ab39f30fa32a34807685fcfba767f88884ef84ca69a0049e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
c044dcfa4d518df8fc9d4a161d49cece

SHA1
91bd4e933b22c010454fd6d3e3b042ab6e8b2149

SHA256
9f79fe09f57002ca07ae0b2a196e8cc002d2be6d5540ee857217e99b33fa4bb2

SHA512
f26b89085aa22ac62a28610689e81b4dfe3c38a9015ec56dfeaff02fdb6fa64e784b86a961509b52ad968400faa1ef0487f29f07a41e37239fe4c3262a11ac2c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdate.dll

Filesize
2.0MB

MD5
965b3af7886e7bf6584488658c050ca2

SHA1
72daabdde7cd500c483d0eeecb1bd19708f8e4a5

SHA256
d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19

SHA512
1c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
567aec2d42d02675eb515bbd852be7db

SHA1
66079ae8ac619ff34e3ddb5fb0823b1790ba7b37

SHA256
a881788359b2a7d90ac70a76c45938fb337c2064487dcb8be00b9c311d10c24c

SHA512
3a7414e95c2927d5496f29814556d731aef19efa531fb58988079287669dfc033f3e04c8740697571df76bfecfe3b75659511783ce34682d2a2ea704dfa115b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
f6c1324070b6c4e2a8f8921652bfbdfa

SHA1
988e6190f26e4ca8f7ea3caabb366cf1edcdcbbf

SHA256
986b0654a8b5f7b23478463ff051bffe1e9bbdeb48744e4aa1bd3d89a7520717

SHA512
63092cf13e8a19966181df695eb021b0a9993afe8f98b1309973ea999fdf4cd9b6ffd609968d4aa0b2cde41e872688a283fd922d8b22cb5ad06339fe18221100

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
570efe7aa117a1f98c7a682f8112cb6d

SHA1
536e7c49e24e9aa068a021a8f258e3e4e69fa64f

SHA256
e2cc8017bc24e73048c7ee68d3787ed63c3898eec61299a9ca1bab8aeaa8da01

SHA512
5e963dd55a5739a1da19cec7277dc3d07afdb682330998fd8c33a1b5949942019521967d8b5af0752a7a8e2cf536faa7e62982501170319558ceaa21ed657ae8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
a8d3210e34bf6f63a35590245c16bc1b

SHA1
f337f2cbec05b7e20ca676d7c2b1a8d5ae8bf693

SHA256
3b82de846ad028544013383e3c9fb570d2a09abf2c854e8a4d641bd7fc3b3766

SHA512
6e47ffe8f7c2532e7854dcae3cbd4e6533f0238815cb6af5ea85087c51017ea284542b988f07692d0297ebab1bad80d7613bf424ff532e10b01c8e528ab1043a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
7937c407ebe21170daf0975779f1aa49

SHA1
4c2a40e76209abd2492dfaaf65ef24de72291346

SHA256
5ab96e4e6e065dbce3b643c6be2c668f5570984ead1a8b3578bbd2056fbad4e9

SHA512
8670746941660e6573732077f5ed1b630f94a825cf4ac9dbe5018772eaac1c48216334757a2aeaa561034b4d907162a370b8f0bae83b34a09457fafe165fb5d7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
8375b1b756b2a74a12def575351e6bbd

SHA1
802ec096425dc1cab723d4cf2fd1a868315d3727

SHA256
a12df15afac4eb2695626d7a8a2888bdf54c8db671043b0677180f746d8ad105

SHA512
aec4bb94fde884db79a629abcff27fd8afb7f229d055514f51fa570fb47a85f8dfc9a54a8f69607d2bcaf82fae1ec7ffab0b246795a77a589be11fad51b24d19

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
a94cf5e8b1708a43393263a33e739edd

SHA1
1068868bdc271a52aaae6f749028ed3170b09cce

SHA256
5b01fe11016610d5606f815281c970c86025732fc597b99c031a018626cd9f3c

SHA512
920f7fed1b720afdb569aec2961bd827a6fc54b4598c0704f65da781d142b1707e5106a459f0c289e0f476b054d93c0b733806af036b68f46377dde0541af2e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
7dc58c4e27eaf84ae9984cff2cc16235

SHA1
3f53499ddc487658932a8c2bcf562ba32afd3bda

SHA256
e32f77ed3067d7735d10f80e5a0aa0c50c993b59b82dc834f2583c314e28fa98

SHA512
bdec1300cf83ea06dfd351fe1252b850fecea08f9ef9cb1207fce40ce30742348db953107ade6cdb0612af2e774345faf03a8a6476f2f26735eb89153b4256dc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A3B.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
4a1e3cf488e998ef4d22ac25ccc520a5

SHA1
dc568a6e3c9465474ef0d761581c733b3371b1cd

SHA256
9afbbe2a591250b80499f0bf02715f02dbcd5a80088e129b1f670f1a3167a011

SHA512
ce3bffb6568ff2ef83ef7c89fd668f6b5972f1484ce3fbd5597dcac0eaec851d5705ed17a5280dd08cd9812d6faec58a5561217b897c9209566545db2f3e1245

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
5.3MB

MD5
0469bb703f1233c733ba4e8cb45afda2

SHA1
a07afd7ecf1d0b740b0e2eddfcde79dcf6e1767f

SHA256
00314da401908da37ebfe9b642506cab81a4467c092719fcf007be045bc4a9e0

SHA512
342c9629e705eb78c7bd52b3efe4a92b6a8bece9933956390450600635e4c0511ca96ccaa25e6920e9d25ccdf444dabfea7b09f8fbcba2f371655f87633b6d67

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
610b1b60dc8729bad759c92f82ee2804

SHA1
9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

SHA256
921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

SHA512
0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
8714d1e2fdae4d140b1efd1723ec435d

SHA1
564314c3a5d71fe519ac48ce4d9fbc778bf937cf

SHA256
7bd11b90d206cd21a69603fce53aca87d8d5686f10cd1d22dcda808755bb1e8a

SHA512
e53d75052ac5d3b730e940708d461bd45953238cc5a3bd9df7c188dae896051efd5d34bc23babe8ed6c9f03f7501b79392d530705e829a8b17ccf50188e875a5

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
88KB

MD5
efcb432453dbeec23d28985cc1f6f2ae

SHA1
a3f99e43ade2284a66e6e85cc92c03bea7cfdcef

SHA256
fbea5022f0fa9ac0c7bb2eda9c2f96e2bf2f062d3e6105083fe182bf037010cd

SHA512
1bca15825272dcf231352a9a43ab3c6c7a54c7d7bfb46ef2a766db4a0d2f9aa2a1a117a15366a165695e3ab1bf7798a96df9d644c606cf7e51aa5ee7b9187325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d0df793c4e281659228b2837846ace2d

SHA1
ece0a5b1581f86b175ccbc7822483448ec728077

SHA256
4e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9

SHA512
400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
59KB

MD5
7626aade5004330bfb65f1e1f790df0c

SHA1
97dca3e04f19cfe55b010c13f10a81ffe8b8374b

SHA256
cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e

SHA512
f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
327KB

MD5
c504ceb95607e51e0ef282f8055c61e5

SHA1
8375673cfb81711b6cfae0a5fd7020d75fb802e3

SHA256
1c5029667af4b2a498c9981e1c808d9bc2aef61dd0f95747f766c370c149a436

SHA512
b19b2d4e97eec3f1c16fe6419d473b1f057b42481cd3ea0af5ad47a286d543cccd30e9484f6f5e0ed32ad9e09225f33d6d32867ce8d04be3756983cf66427a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
133KB

MD5
da1d252e947bce39c6b4fc3270383195

SHA1
f6e8fcd9d63683e56e457bbf1dfbd684586382fc

SHA256
28ac23c8020d600a3141888b982e3061d34aeaad83fe5993d8e61cf2a70b7bd4

SHA512
320539f5ec40d9bf31f6b9b7c1c99f6c644937060c5f29726b6719f2ff5d2043d237ddcbf4be20055e9b13673fc0e4e025d172bcd51495caf65ca57a689e2eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
73KB

MD5
676a2ab7fe2f8a43ad8a54dde5ad3497

SHA1
1cd0ee9772ed8e2aa5a8feaf799779e641c6e054

SHA256
e37077347f624db0db7966799b1fd84654602da75c1243e8412d81e0bacd463b

SHA512
248eced8740aceca62f85b31da62a0d5c642a80097cb01ebd0ec000d23f30cb5881e292026d65268ec2140d60344b82ccd02751b3ec8d871f6a06bb4dd26d79b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
87KB

MD5
43d4c95387bce39a2380e40edb2a9a83

SHA1
ba84548b95d409fedb3e0a21c8156c715354f7f0

SHA256
040ab277b18ca1e1c6a81d70f9d491b718cc80c91bcc43582bb265ec3c9a809d

SHA512
5c13fabffb29b337ae3d90b1aac32028d88d8ecd40c7b5ae032a4a696ce98bc011b81e727486dca8a23807fff9b10548c22700185433562d15abaf5a026ae8f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000cc

Filesize
51KB

MD5
588ee33c26fe83cb97ca65e3c66b2e87

SHA1
842429b803132c3e7827af42fe4dc7a66e736b37

SHA256
bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760

SHA512
6f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000124

Filesize
108KB

MD5
53e67bb21679ab970e4f7a531354f84a

SHA1
f5e07f442ab72fbfc196244eb6e96a60aa213e8f

SHA256
6205bc5f81bf669328d15552e20cf77eaaf636c8d7f79739bf56261471d85e05

SHA512
69d7516a9acdacea59c789f31e8bcc09ace10d6069e36ee5ba12993b216613048b72f5499a5a046061657b010a619ae479a6f2dfcb98db46f05763711bd583c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000125

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00014d

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
6KB

MD5
885c806f7fa14e7e5cd9f0ec215f2c18

SHA1
3df7495fdf1b554a45cb3c17de914a984c97802f

SHA256
8d13e3e111017da028f9a8697470fe3d51ea85ba0e05624ec4bdb84ab13cecce

SHA512
8bd60da1790d8b60b67930d1042afbf1c06d5be7fd8560af61167ae755663e371cc9efb0c4a70171874eafe0380df7489fa3f93cd928afd10d8f9a867abe16d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
737032f2be290cb932ff6413a2f48ede

SHA1
9890a6871cde578ba54df44a960e718ab579f997

SHA256
ad63cdf0d2efa514b33fe8b2f6ca8fe6ccabfc4c9739e14a7a2dbc5f35653b11

SHA512
ab26ff88b3a1086f4be14cdbd89667fbf8a9f065959e2b22ecffa5f993dd42a1bd4270029af2f72366539dc72d96caa18da6617f3b20042407607038449e8c56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
c4067329a3774f3c615b18f1a29e095c

SHA1
d8405e4483aee01cd2eb6845e60835fb021e4679

SHA256
bff898ca6ed0ab9f5bdedf1575693da2e4f82297be5a0c5b44edfc8d9a87c2e5

SHA512
1b8a0b0d1b08eca7ad86c8eb1868f4cb6027a7c77a3ff71317d5168541e759897b044d0eca272720b7b8cd129cbc9ac91241f1bad0bbd52875e37c7d62f6d727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
37169b28923e7f3d135c69c01fd871e2

SHA1
e2d1eb6b95e9c40de3f0f6fa439378200a003c78

SHA256
055bf3fc79369d193410e6c9e7a1a619e6febabf851dafae84ad67ffd5379d1a

SHA512
523bc2fb9c155ccb38c92c4d7dc35e1877e899f0047ac6e9e38f5220886c1acf2586d53d0248039aa454753c1a9bb5b2a2ef86e11223bdcefe8dc7d8e305b918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
7dd2acad4a8d0f55bc6cd9b7dfb8acd3

SHA1
347ba53e249cd93fe9dd59c81c936a036d8444e4

SHA256
aabb17c64b76a349b0e1e24e3dc51f5c345e47893ca5d80948ae757417b8e90f

SHA512
282c0ac46527487e6273000bbccf34f49940b7420b14e2f80117215d0e7be6a507ac0afd82652fb752622160a3d641ad78e48012a7eeceeb97880e8e2178bd22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\239e5312-065e-4043-bba7-0bd144ab728c.tmp

Filesize
8KB

MD5
a987689c28bb7ed0b797157b1b2739f7

SHA1
ffb14d3fe33072920345d7c62adb41718df8577d

SHA256
76abe189bd1a93cdb84b631d953170e322d7c098de21943440d2c4d3ad964ec6

SHA512
2e95298bf5c43281c251d981248919134e3875ff48c1e00b94d034fdae4033517bbff027aa6f8b97ea15c1eff4dc9990ae451e9955ca4a1345c9eca70d582ecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
17KB

MD5
b0e23bd4362b90ca84ec71337b3afd13

SHA1
5c02af9d0762dda883a0aa19694ffe7afe1c4f72

SHA256
773d8e393481ffcbc0454281af3c9881c98e9bcdb17b3627b0407bfc84818f64

SHA512
4802ee3b5a0f7df6ac338db40b3e46d612a6d541d74fb5db5c8446994959fe3102fea04bc037944d85dd65dc021456bf512618944e1b37ec0e7cb745cfcee3c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
6ea1cbe7bbb699375fe9ed93249a0a06

SHA1
130a203dad925dd9b8a0fefa72621f0551f6150b

SHA256
7ab84064255c6c7597f5bfbdfb7282b843760da38a60812fb1f2e61c3ef61981

SHA512
ad486267c420835dc388fd71e1b14541c03fa97c252bdbc6ffc4cb61a5831c14e4303b62ec90c1d22dca994001f8c2bc8b2973ecb9ba806a90b81373def13d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
8e9a7d335c91eb54fee3d36ab2a57e11

SHA1
78a57a0de134e7d6bdf0d5bdadbd209190099f9d

SHA256
2be9226c6f8992b8c772b7ac3b1544503e09168b422b38d9e42eb5074b2ab672

SHA512
1b566ad4d6ff0329172b78e4b6b989bf7f2256411aec54ffdb21178ec40aeb1197d7c23b4b5ea41dc9c6eed6e36a4e83a46f13ba15a24076b9e0550e5737e8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
17KB

MD5
ac710e544d9609535b9573787b05d78a

SHA1
88a45da70af69a1f86c848d58fef7ceae8c12275

SHA256
da9cb65d15277f3bf6c4dab63e2b2c55249854916faf93f6372288168496c207

SHA512
287a913bbea640479a1d169b6a078d1d8af78032ae7be7caff86a0261d3d91d24ce876e1d91ca429384757742b2bd350ba636d9ea706bfe3a75012ed71b06f3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
a95cf7fe2a930434b741c14794396bd5

SHA1
041d951891d9ce3fc387c37e23c0878b6ba7a2d4

SHA256
552687c2fb02d85c97926f1c1fb35f02565a92342ed0a7bcdbd6f728f4ad3985

SHA512
d0ae63905dbdd55b52c7bc17e147d68a1a55c86f74bb9d00256ddb7163890a8387e8ab390869612a8fa640a79f8549fd42fb279797a9ce7da11d8f2ff9195f89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
17KB

MD5
1b2554c8d71c9a49530f7e7439c2de5e

SHA1
96229b72b5dbadf644026803901b3fcbc3161941

SHA256
5e319e2735334d0ecd17c823bf9b1e5da43347bc0bd957121a92f54a1f0bb359

SHA512
a08264680520358e4f938614102d597e3eacfb1e74be4fa233460c9a0004df9ea6a69c4946ce48ae7049ebb41bbd918ad5f4ea90df702d13cf9426d504589d7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
c70316e3d86ed9fb2593a3cb7003efaa

SHA1
7eb27879768fbaa3f86bddea706f942a046874f2

SHA256
29013c8e3186ac69f3fd71ca82fa652c786ab646290e9d8b426dca4d8c68c463

SHA512
4771ae9328974b39542226c430bfe5bb590b61c9c841af710c6d63279f439a0acf507e98ad744e1727ed24fe14194c27bdd99d57f3014f6ab5cc522d6f762448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
be84f7f52e5e8e4057d8d515db423058

SHA1
7924076b277f2111f9b36ef7fc8ca526b54fbf62

SHA256
0de44197b3eae89498451266f2970e3ca7c2a94aea120513acabfae6080f149e

SHA512
d0bf59f8e07faa2c4e6f60a70313f9bb72457f44379bb23c052038f4b2c7eccd6e4a5dbd3b2308de222faeb56f58caa6ca6cfc3dfbcb15f260235a02e7c7e75e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3d720135fa47f5edfb61a15eeed36368

SHA1
061e0ba91208b8059ac6af9d662f0763b4949a7a

SHA256
9441d240e3dd967e21406276053ceb23af46dac0ed30bb5d7c580fff8ce9a0b7

SHA512
fc3407f0659ee317781cfb0212e36e3d2f0de18995bbc8ba84d8665a54cb0607b22dddf5aecefbf4bc9307a4cea0ee8eb550ba3b018eaba44035f90774e722df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
921a024a979a25bd214bf52ab5444bc4

SHA1
c7e0702069111fdb5127ed8036b6f4e31882028b

SHA256
ae388c59b3244cdf8ab8cb981db1faa22e0558712d1dd1acec3813456a4c71da

SHA512
61e7cbb7652f675edce76052c251c01618f8c02ebf2961abc3c2a692cb63ba30bc767f9459cdd713576b403607d1cf6080e1b117a3b34577c338ac9625debfb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
9461a429c9bb68c12939077c76cfc4e9

SHA1
d24b5b35e9274d9700ab8b8f90429b4717d66c94

SHA256
490ba63d916670f7f5db26a51bd233b8ca75317adfa13519c8ffab75f4b8591b

SHA512
38fae49bc2c54bf3e5c030b669d96a8e6efa3d23defc59010330218df815c2a39ecf3802c443ac8b18da677eac5d1b06cb4c2485f7be46d04cf2eb5cec66f391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
94b27f592851e84c0d38c48a3f3b2a78

SHA1
a1733a5c9cd00b7831c77e8c44b77d6f6031522e

SHA256
9a916f301e229ac884b4dad76917ed72e4bc84ffc8bd8dd1e21af77e4020f0b7

SHA512
9f9607b7751c982722cad9c1cd7e859d5d16719d6c16243e8b472514a8720dd4ed55b2062013934ad592bcf692e0b04caa7fc2fd7602f59ae6540530fa66ac62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
25e1f1c1df9c78a4d78814d86454340c

SHA1
f2fe402b8cca09eda6630a989daaea377d2d6ae8

SHA256
453b5c1b445c4540856bc84de576dfb5bc1f27f888cd0c388d4e0cf273b99b47

SHA512
2fa580d29dfdf6b67a4146b76203a44400dbd642903b0daf341701d684c7e172d94c5719f2840ef80cdbc9f2daab922a2fe7ae8cca115237a0a93be1941427b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9eb83c3862ead6aa0f4509f04f114137

SHA1
60f7313db6609285639ecd3f35c9f13e4b6a71fd

SHA256
d4525af0095eb22fd3607cde7fa2eb235037e8caa1ecda4ea67017be3793b1e0

SHA512
9be7014cd51d7973187af80aa71211860399f6e0b5438903aa1c1990e6ed6c5ae3ede9791f69ce04cc319769d61e1ae6f41690aec375d208e2466e71c0a65dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f6de1920ddabbd298c53a3d8269ff6cf

SHA1
3eae319a2d42d9847ee239ab7db3588d51567e6f

SHA256
57d7f38a5e9d5e0e4e9ecf25ec655c40e9c0a9405d02577f5ab60abf1702d4e1

SHA512
f811aea99c5d41425c10f7faf599ef9a81d5545120ad3322cbd287f7267904a0b5edac97aff2a8202148a158a8c062eaf96374f8a1c7329908ae4ca6e1898ff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
7bf069a1c7692de5587903cdad5fbd39

SHA1
cefbfe796a8c0dbd2dc07e1f5b17f221f58352a4

SHA256
5816de1ceabfba86f749776026cb5b066e8a8c12b783043dec4acfd114331169

SHA512
10cfabfeb93ae16b6684140dbd11b9fd9c8c34f6a8362c6c187342873cf61312f73249d1ab21bcc2ff47af7c20cd91f4c86e9b60080bd19e30bf0828a877ee85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
b210a13a1ca5890302fff987abfac7a0

SHA1
594ad18f3404516462b482f4b9e8ef5ca52d453b

SHA256
77658c8e1b34035f8949266f94d0ef871c475f4c8ff1a208ec3cb8b6278cbb91

SHA512
1af7fe160585e8d2e64c04a55b525a366e400b7e211c22342b63baf17c1c9f7b02f7690d51db45e4be2031251603f2dc3dd2704284d4f8c21c1dbf354c09240a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
dda85b810fafa4b0f05583f5c1a5e482

SHA1
2b7a38cc34ea369e929fc7cac98d45fe9c0fca60

SHA256
41eeca3e43302e3767ba83c93a80abecd007fd7e6a0413d00a4b90a5349d69f4

SHA512
b4a3511cbf8d578f966ae311d82d27c925a25e6a5875c9c9400a91b24c9720c867cbc5b75360d2aec1b50934c6d94b9e1d23a7708b073b891c8cc2d09fc8aa64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
cfac7e35d43c9c7d72e9b0ef6cfb0334

SHA1
ad21443af1740f4aacb432910b78dbc3f2c7134b

SHA256
b5e601388b5a71220a2b63db16fd8969709d464d7e4a161bba1bd2fea5408be9

SHA512
69963844721a8e387a4d735960c458050df4b06c990815a7d4034ef09514a5bef08d954140a7d79ac72d1490cfcb7feb15c488365cfafd5ca793dabb7e578267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
d9c5d5024bd5496348611c9a3f9c40eb

SHA1
4df36ac688848ed11d4fe65242634c0969dcd5bd

SHA256
052c0c2f8d046bb1cce4807e3c60574da7083f5f0978645258992ae9f506fb76

SHA512
bcd262fb74eed6ba0de741211759df94b29a4068a529096883398fe43d2cc13a965d7c6fd4dea7d9170b9ed697e1142cd1da890e97e9d135c80857faa9d5ce7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
3da16997f83fc1821f0c6276e192c7f2

SHA1
b32f946816af9e6b43351d95f3d1313d53fe38dd

SHA256
403c0850fbbdea68f8af655e120df89c34b6cbcf60344687e5f610d1a0b8844f

SHA512
09004bf3a221589a9da9702c5a697fedc05a96801f652d2e2246a3daa11b4c0cb5c16040c0583b47f684c896787489ea8cfc29c0e270955f0d1083a4620b2a1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
32351ad6b94625965f89d28e475b3847

SHA1
7e41c3b792e05fd8ed00724e0dd9a5b8909132cf

SHA256
73424b435d011d546e45dfb2671ed8bd5b5f633b3513b5bcdca1b72b1a198411

SHA512
3c2147fce7eb8c68001f28447870b7f1e3640300113d3a60b07dde8927d00b1d8518f3aae0ea1a8ae7a7f8aee951594696d7d83417b95eaf84dca302c1703acb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
b87241a1401bc38f8688dce6abfc6dd2

SHA1
d8e6035a676b80a19bb1b82c1cd9eb31e017ec55

SHA256
94098d968987f5c1a477c55d533c945abeed542bc999163e27f9dd9c9f7d1b73

SHA512
a07a9804c2d9c71a433b52051905dd57e6c23a19cf111a007d90225957b860b46eec0522c8e07072054dec85ef05d8c0d7ff8781185794bf1848cf957bb0b72b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
a252f197425318bdc65bbacd278c3d98

SHA1
83833fa043c4f7129f911ec1ca1b1197898edc4b

SHA256
a9b89daf76e979ef22fe6f55fd65f482a5be63745ad2610b2bfa5ad096cfd821

SHA512
c278bce06ac9bac5a0eb98cda9f0bef469af31e002ea2197a18426b9a7febf9cd23ba17023c08b9bb8b9668df51aba20538855beb27e554febd10b5eadc3c9a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
21a4efe8fc2de423bcbee11b5d670bf2

SHA1
0bc43e3e88f8e442adc152dab665c2d1f3404f72

SHA256
bdb2459dc0b2d5309317775ac1a5b2ca3e3c896b83741aec40fd93184d400915

SHA512
2209350127edc3e4435303b4d2e511c596789857fbe05d2cde3ef904692924501e65fa646372172e193c49f77a3df7b102c7888fe370dcf504d76b725563a16e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
a298a4d3573faf142f5daf2587f382dd

SHA1
146f64c10ec33bc13d1b28674def1c432dd36af3

SHA256
b7d3ec41d8fd7bea11b94c260e3f1232524faacb6e85493f871a67d328339f6d

SHA512
af0e08cca7c57c3736348e91f2eed3f68cde319706c4546299289c163c7477d6a2576d456bf76010f244a46e7bf3c02beadd4ffd40ec7c9ed0b20615c300fb2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
17828124f97536ebe3a5e2b7ccec6d3c

SHA1
3507b7551c524249e64141189111da57c36275a2

SHA256
1f2fd563e166e4b6293e9226ccda6349fdf7c15f8db0c0884852b81f557cb198

SHA512
e074228f4fe46734471c16beeb7159bf016fffd4ce86e2b5ee08cbd8b21d57d216939e582aaa5b03f3b71cd18c9320a865443821ac6ff4efd572c15815c52f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
2eab190f8ae240761a4e3f6c6ddc46e2

SHA1
bcb53bbf572cb98b69be99078d5344f5e8bccec1

SHA256
83b5f723657e96f4271ace89f27c568a5a2aa2d209afab125bdc17bb94faeb9a

SHA512
840c1d34f8671e100e180077bcf3dcbb1c03475b62b6209af56065d32b55642d01df335fc413f4def33db82b628aaadc30c1ea28d4b594e7cb6d9d76da72e4ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
0151830b28e6bac6652f5ad790c03a82

SHA1
2d06e6fbbe59146ba2d8b79c72fd92bc1057978b

SHA256
db6084aa9bb7191e96121aae83ebab45d5fd2d95cb9ec061243fe8c0629c2671

SHA512
cea834a9bba13af607c63731695c7caf48f389b07044c8fec163be6f9787a2d5c580c3046184af82a4a63bcff3279e3e946015f41dc47404368a948cd4cac3d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
f477fa9f034de7d73364921ae7f9d704

SHA1
6a107d3b6a84b047ed50a3e25df3be803532a2c4

SHA256
5e1a8363821d74b40031e0aec762d6dbd76a8a5b78704a6d938d17f059984692

SHA512
adb124871042360bc1d149d45e1580ec1cd9c6a6003441f56ad22856fefb4ea2462920ee4b9317975d3757f7c3d8ad3e66d2ee242be00bbb01cef4623eee9a81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
0c38f66689490957efa3438bc2e53f99

SHA1
f6752d850b073f1e1492193c8462be87179c45d4

SHA256
5b64aed68ed92ceb38ea91505702d364545cf2b07a257cc00319532a9a39c4b4

SHA512
64380203a3b0ca91791a3c0b322f0a467330a1f42a5275ffa6c747f8880b9506e385b7f493861febaf6b5d5a8fa9b3eb52f93be1ac47630b7181d95687583c54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
4dd4ddd3db3afefa424241cfda42f6b2

SHA1
1ca3e3c4567836636b22102b99173cfbce022cf6

SHA256
ed640046c93f942939ab8503de22a125aafcfb0d6a9e3b3fc206e4178e4bad8a

SHA512
7551af17fec6fd7642d83e0c5aad6b33c432fc339176c812a1b2fed8568e446853777d228dea98f4302c3316de7fe0b23a4359d85452a3d6224d5e7f56f9487e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
9ce8e4afc6385b352d67b54653f8a29e

SHA1
3ac648c919d9d7de3934b7a466847d0b990ca14a

SHA256
4c55fb2157c0f6da8f9b88e1455e97c4a9091fdec0d3202a5505dbab5d605768

SHA512
c29fae232811c1307e0a1b5152137e404271cabe7ad58aacaa65e5f4f281aababe877d31fc5e5f00c500ee55577ade75f10edb3d775e505838b84b41372a37eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
ae85a8a90de4dfad7b32bfee3f0a64ff

SHA1
1584c27c1d6f8108c1b09e3b09847b54fb7cd0dc

SHA256
cfc07a9855e013293294a5317c324854cece5d4d23ba20dad407d397002b663f

SHA512
d28510268668429f1332dfbf495a204c0224a211eb1486803cb31ed53028d2e45765892598dbd00afe4945200c5258e97708bd30475b06d014b888b591f23025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
b82a256809781c3e41144b7dcb28fa18

SHA1
5a33bb16cc371dff754e6b094f9c847b7518445e

SHA256
1ec6b96a7290e888b1febc87f90cbf116ca6a88d18b2cf6a7d40ed3efd3eeeda

SHA512
0c8b15e985968983994bbc88e453c58c7acfe552adc2849e3ea8b4716876dcf77db1cf7e4077218169e4d17b4f054de164271048a5644b1035e0e649fddd8806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
05f78c0232a49c0bd8fc832e59f2de1c

SHA1
5e26fe869f79b5bf3b7261402bf31a154d684ac0

SHA256
2f7ad4447a8e446af8336974f03f614f37f0c8fda5be5fa4dcc854b86c30a28f

SHA512
36d64a60065d51ca63cfe85ab42cffcd2b55f3bb0c7cd2e22ca82b27e91c22f50d6ed7706fb166499ffe62a0d69bcb1f7fbe2a500ebc25f7abbb9ab0d50b9198

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
4114847815b8d96899f6a31be39d0ca0

SHA1
2e150ddcc8456d5888fcfbe20101b14f7b44ee38

SHA256
e2e75555e057cd3494d22d5e76948224e4b19dd526861f2ed56ef3e6748a3c15

SHA512
66817dda7aa41c8d41b09132e0474272a93a43029b60bacf01924a18fa88c47cff23f531b94edb80695abd4b7a9111f53ba8be06562fbb463bfd671973799d0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
ff703bfbbfdc7eb4f32401d58ffa9d61

SHA1
23de15bb4d075069959f652004e2eef19976dabb

SHA256
861096c0ba698f674e1523878e0ff79be77b5fbd289647bef127a6940e7a4518

SHA512
c687bf70fecba72a9f6e91ddc0b4d95356dab55b35b6493d2627c48a600800e157b7cdd62e7a148f99632cc366908b4b9ab6d5da1f80e3e90b0cbb02a9b40d5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
111f9451db3a2f449cca32153df0e10a

SHA1
a8c79c9ccd84e50674e8a2e6be1613328106ec05

SHA256
b22bcfd2968a1800397c7b81a082deb352ac50db37331b8757e832a08fed0d72

SHA512
1d57a70bafec8a49a1711319f6ae39a609ac3f2c906dc133fe0ac56b6b2b77d544ab2d46ef1e615216aa4d98a55ade47a24143d241bfc6b4bdf2a9539afb1d11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
f97a1c6752b4b5a5aca14687f8d9bbcb

SHA1
b0cf4d78c495f49496d668627c369a50d701b810

SHA256
453974223e9fb3eb2a23c67f5b63059e8bb0175210ffa69a7df65b6159acaf07

SHA512
c84b38e5107a2dd462e7ecb41589b885377b23e62c269ac0e726013bf53f35858bbd2c260d94cf04d1d73ee89b5ee2ac27d65460ff9390510e47389c2d9f0f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
0f0804f655e86e34952b490ebba5cbb9

SHA1
82c7c258c432e8360beddce261a5dbc315bfa451

SHA256
b439586780f29ebbb449573114caef51d3122c98029b54dc14550265ecfbd021

SHA512
25746b6877eaff01387b3474ddef88532de9d2eb9ea227e19b32904c0cf83962579cbb93909dc8c5883aaf57a3e5779b167680ca3b0815bb96de235561956154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
51c5c22687b5f5aa8f635e5581fe0925

SHA1
f8820dc8e9901dc74b833f187f7d3738b1ab0133

SHA256
f75edded306dbdd7c6d37c3c00f885bf7d8e21e1ded9f587405476b787fdf1b2

SHA512
eb67ce25871bc1345d8bf6e70bd3d226f5844365f062fa7e29e682c70129a9fd0bedbd8ea50228c845b8ad4ef37cbeedf1f2519fe985e3b53e90b8b70678a0ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
7ad9fd32db4b89cce318a25cf13e01bb

SHA1
7afc89ecc587225cec7f1c8cb3e36864090b996d

SHA256
262883a359953e45b92679d71f063927acb5bb6a60ed10defa2d3cc36aee5cc4

SHA512
19e29ba77be28feda6301825ad74fa37a203ebc10e5e20f3f9fc1595b842767a855a0abb9bc39eda243a7ff7587b2b6efd24e5ca4af2549cebadff937e878410

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
9680d959b8e18834278bcb66561710ad

SHA1
f6003dadab215dad03061526480710ec6750c0b6

SHA256
c93d717cd3de5f390b8d3e4e04d1cda6112fb3432250ef732fffc760377fd221

SHA512
6fef59730083f6864515ab935ee5db9c9a1c64d8bb3ec489ea05229311367101d8f5355d3aff3011f3d7ee3e9d84fdad89ec9d74cfc0f5f4afd0d41ac0b4e9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
d97ce241b324a454d444c101887d6781

SHA1
57406ed391dbfd2679acbe9650a778566faff37d

SHA256
6503b2c26f8fe30bc93a6153ab42c20b91cf01c92b89cd4c9d4d761c228296fa

SHA512
425b25e3c7057808655780e61510048268fd2f565aa81454826d16f7c6c7e1419365310af28eac9bee053780045a3cc2ccfdb2f6d50105b3821abb7ae88ef72d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
9e32776fd2120ee26f224419a80025f6

SHA1
834e9e1e7a27fffad7d28b40425bddec437be2a8

SHA256
efa585a60f06ceeabbb1681753cf6f1c302ae9b9c32121ea48291dd84bd6bc39

SHA512
f400f5f0e1c56f1dde03d89e82b424d1e146f967e5390c2e1bd2b1fc3522394418c34d2aff55a953e1d209fc15fc5f94e1246cad3e4f6ebb06cbe6619dac3d6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
63e687dee3c85fc04aa1dff741bb97a9

SHA1
71a02927ca8c7f8f27ff924ad91f48ef8ab1f500

SHA256
c44012eb6d579c32c6cf2f70ddda962d5a5e8b83403f982725d639170ddece94

SHA512
014fb68e8451cd98c7a7c48182fee3c9183816a7b15f8ed772c7170e92cc132b1c2e4cabbebf57cf04905f10a09d705f50daa2003baddda731ce5bf6744c0b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
97f06de0f3e6d3aaaddc24c4fb952ac0

SHA1
a13dcd533afa63890c16b3856a57c97facbbb563

SHA256
23280da391aa7d69968c7929adc5ac34e02d08d3510c52b6b3a95f54d1e8ce05

SHA512
76fa8662f7bc71ffd650053a7842c73ed6d6d247e8ca73991632686b70cebb51e7ff4e3eb640f2c49df26cc6668427f961246f49a039dd3144abc68a94dfc657

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
05b9e5bf78f79b8a922bc3b34529acfe

SHA1
890e3a8e53522a25c447e1e72fef69befe3ebeda

SHA256
2b98e6d0d20602960e8944b7993fadfbe473ad4109b3e7c07c3266ec7f2a2b04

SHA512
751bd91383960c9066e39bc6dea262e9658863d0cbf76fb12ad961a5521a913252377a37952cceb7d92d498dde52e781f2ee9934fbe5c9e3f36e4b848a66061d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
e6213426127ec73b61136ec8be3438d1

SHA1
33a67183e1bf16c30666199dde69b0a575c8bcee

SHA256
49037d9e1972ff4ce96d22372e01a8ffa1c2d131adcd6f5e45feabff9d22cb0f

SHA512
ef53318def9ea4582a85a33136eff07f74bc37b8b24f14aafe13c970eeb0cc235dcb7c43fcdd0cce51ee0c8729e77d3e30a9ae231f02c966272a4cdcd470ba5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
6cfb0802325d196dfd87a628fdac46a5

SHA1
d97e1e935c678e5934688fb28eddbf79d583f665

SHA256
6830bb8f41ffbfdd0c1df4daeb98f22becb9fdc8607fad030ecacf56a73d41a1

SHA512
808a6a3e5d2b6a52cf772908dd0ac9dfb0dde50e11c70bf4a5d1113f72590ca697fc891cc5ebbf43595028e75c128187b2b0c038af761a4d0785efc3c777dcfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
a3fa81f90091c48c6ffb788dec2bbd52

SHA1
a687566bc323a60e98a744ed8effe2b7ff1567f5

SHA256
15580ccfff06764ca3747c21c35a8011421510031d466a91c39a2679f70a0160

SHA512
3f95c8cbc12cdd49c132a6d086ef076c73cd425e4ad6f03c8bb093fdd15f8c38065d6f6a8a18755a7586ec280913714e3913a8a2ba52b4a1b4259690c47d4b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6b477d638e92f874607889137b171c1

SHA1
c52ccced72794f9b954f773b9446570e80ecfb08

SHA256
4a970298ed9e29bd4c50f9d8875575383e35e8167f9429661c80926198e3795a

SHA512
a799e52acd5f5fcba67a3141d72701e1f306a40182bb3f119070ee555fcae123f7d279ea1e8098efc2df524aa4b2f0379b9461bd147963648db9c990e62981a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c525e3e9ab931ae9e0b539ccc03c2ab2

SHA1
d92b7d6070236d34e73d1b569c7365f02b664744

SHA256
1520e341f0f3e7ef378a55392fa7038897fb81daef9b7e16e3fb05706c5488ed

SHA512
5690b9b70ab7aa933ce486f7f9ab3231ed1279fe25a6b41a2945a9edd604a3eff4d86c543ea1d60afee98bd3526ab7c5e61bbb1205003dc141513ecb6e18f52b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b085495020194ad7d039d01355445669

SHA1
120a94c2fce15121949deda75edab3d1e6dea392

SHA256
33516a59e1661f1015b3c3eab1f311cfefbef4e31a8fef2578a3fdc519ca8b2e

SHA512
e26d6850b3cf72cd8c1abb7f71f922060803ecef6873ee2603c6eca27ade07712f42046efe3fd7c03ee4108003f9117b419c47bab4594fa8836d385adae67d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
47bab1fc34e2cae2c52966650168d451

SHA1
e9eb381f0bdd93df5ead73f438d9f66867e34994

SHA256
9fb193f70ee97c17b9b3c26d6366a6ad62bc11cf1efc9914955060f60e9e93b5

SHA512
237634351f1d798444e1002fa9442c9985fab02d8e32349071dddf42b15a073b207d676d60267cc4560b48916f9e3d6b50b06891b7f1e71e9ca921a8e99ab63f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c03e24b9eaa282f0a992bc153690bb05

SHA1
06ab04550af6c179bd6f3c22711edd3f02c6366e

SHA256
f46b540ba56cc09d7105850b8418cd0fff30c65618dd15e078719b15620aa1a9

SHA512
536c2784456a5dd3903044a852f06804f1d70db344cde3c2a3d8940dfb901a3f26235a1fb96f6f8313e4cade9c88155bd487ba5a3e5727c677e377383cb448d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7d77f660765bdcce70a3336ec28f64a6

SHA1
c6ca0ddc847c7494f180aecfbf9829ca759cb5bc

SHA256
32243f39d6de06f4ac276c4b0de0483b8163482ce3334246e9f0d09ed814c0ad

SHA512
83e46061b318ff4228ec2c189b35f1b4718bfb88c339376ac52bab643d845c9d76d7113e19e05126fd1500b54e3ad490387f2584eb1efd54f2e0c5b0b5e07f8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9e74d0153aa2a5a98824baa674cdbf0f

SHA1
129b07d75dff8421acf4c8fac5dbf4d6fde6eb61

SHA256
9496b654b9fd88ea46453331a75c96229a9582e99d5524985bc25d8b3254699a

SHA512
c4c7471be07aaae0a6a817e2a8e3a63df1df85101c9a0dd2e4dae6cc0967c5732d929f4192e680a61e4a03038cce201b099e4253d75b7bc7905ccae9c24aadad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23eceae7074a8d1b7046aa260fe25193

SHA1
7ce86272211b54ef601d15e89621dd89a02abe5a

SHA256
462f5d1562b0a799695c8100fec4c35d3b272fa9e61b11aa5463b362de903d5f

SHA512
c48befa221d3a85a3b1f34d69ab4aec0d7db7fab4305b3d51a19dab3fb72c49a087e11c3a53a20890c593f963f426bb1ef06259d4a2e0e8d3b7a1ef8b3c03dba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
709096e0f83eb422351d1259d72f7c99

SHA1
8f9a2fe6e05157d449a9664d69b8dcdc4485fa37

SHA256
55f9dafa195aec85ac5f91bab3334b00df5295af5bdb51c411bcb701777754fe

SHA512
9e3795de7e7c57c35252f6042a0fc5c6c70aef82005a749674bfcd4fa1bd81c4358e01a280eb08982d787b19a880e078e0dc305652a8222f7e6e5a7dbd51ef97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37cad52ef54d367137b7b006912173b3

SHA1
18c441e63daef81bc1dce1b4989569476c855563

SHA256
5aca3a5322803fcd5fdec077e705a8adae734e3ca6a980eabd82032792ed9744

SHA512
7f3b8c48274cc87684aa885677b9762836b0cdac51aef383518e6555e048ef0576e029d691c04044470e504d271c4d85e67ca65895e74b3aa23e9f6ea4a0b732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8aeea41c6c62dcf64a54a1d9582f7d80

SHA1
c76b4b1da0ae27214e74e24a9ea8fdd9fc72f9a3

SHA256
3714d84036ce66967a0b96d4863664d66804335131f70948c3640d6107ed700b

SHA512
287699008a0018697161034dfabb2aae599f46412e8db78f0023a3b3fa91ded4540720c4a852e5311c389f67ad9dbdf6983b41df42f497a91baec29bd7683226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c57f1b4ebd64e5e74b625538b170725a

SHA1
bbdfae6c3db620b683f82b104bbad6b4aa72b470

SHA256
1abfd7deeabfa0e54ab9c641d7e8e6166a6d2543895787293238d864f933940c

SHA512
910d7cc9d1fe05e21feac38d2b304eecf60594e3495aefb498364d8b42669ebbd24a3d68235c42b328233c1ed8ead5f92114c959be8b6543dc00a091e5361029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb47dca8889d0347701d43330212723b

SHA1
63946b788296a2b683977a164752f006a192d14a

SHA256
ee4a887e442da0dc6481dc52cb4707e9c4163c0759654c6b73b9529e6645372f

SHA512
9bce1044c543a5af4d3aaa244d027a55b61a0606f03e81111d7f75f011e496da24409eefc219cfb3bf2dbaaf3660257018349af18c22fdec0862e40325035b2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
00cbbfa9d49322d9fb4cb99497649a0e

SHA1
85e089f175670d7e9370ef79337d68ace2a4e944

SHA256
45f6cd2e00b82e51a921662a8af4560ce75c8aa8369052d1bddb068e3b6c8ab4

SHA512
f27e95cddd1241cb8130165cc1ecc536de3de9f45371243f858fcc410fe9e7cc2c0a993ed49dde2a3ce2081397384a62a6acb162a0f57c1be1348f0303c85881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe601179.TMP

Filesize
120B

MD5
e8fa478dc8d18ae289710a7b7aed3a5b

SHA1
7834df0886fcd7496dc5d45ae098676e2af35d02

SHA256
6e6f3a7c0a4f9ebf100ea969604655342daf6a6f5bfb5ad81d110c422a41cd92

SHA512
b4f2e2063b3195f1a79124e6124721a47308706481d84d31f4af4bd7fe912fc6145d7b7c2cf45a90f7bf7773253154f97cc8fbd639bf4ac8f71d898d74caa1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
92e0d99590746375ccb138752671f604

SHA1
4f2cd483907e6c4ae7b476a8a6810bfee5671007

SHA256
3b98c9b8a98c44c2c6c0f229ded7d3e7c3c141380894d9269b5896d491c6b25f

SHA512
9f64c61824ed1fb1ef63896bbeab0c0cdd82235f8fb8a25b01c9f58f0e6547f1f997a08f4fc749e3a13a45b78ad43f2c8fee004dbc637ec53a725eed62e03e5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
30d341b241181709a1b8739b63b7cce5

SHA1
45e13c8ec3d622ac2e6c9092abc16a6b4e25ddc3

SHA256
6ba814968c27b7fbbd8d4057d5e4da569ca803878aa59069839c8643baa63109

SHA512
ee24bec0653a6fe5717dd61eef3da9b18f4fd0f07d8d51eec9929c8f92eaba9c9b6cc14d15f54ad5af2b5eb3a234020e50a9d3941ac43818e1015cce4ba457a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
602e4ac09bbdb5c9767288bdd86187a6

SHA1
7967a95110276983a2e89c3b4dc48ed2d9febf2d

SHA256
ac997b12eab0c75c62f7d178285e10a3d345d0d43af9f3d28c6a8542502a53a4

SHA512
55d1a64b4cbeab4c55b42f3632a481191aef1c4f0cd97c0e6f2af230bf3140afd3219e87869e13c06eff698bbbba1d02bd8ae3f66fe7a2bb54f995759c2ca96c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
7997a4d34e68ab611240c770be01d718

SHA1
400822fb5c77e7f5309d1be1b3435b385ae0be95

SHA256
0ffe43905f97a418506e220421dc5dd6e52d092b724c9167761c3e30e93f7d08

SHA512
06210627a0e2af87d225de3baf61e7a5214c82593960ed38b281fbb5b76c7a26a4fd99af39f4b928b83c5e8b0dcbe6a558ff71f26cf93c0d07f327ff0c0bc531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
4ce22dcf63536d6f879c3aa86aab78e7

SHA1
14e4db0205eeb4eb34d4747ff1bcfab5f7aa513d

SHA256
faff1546020536537e915ef539f7d10de65bc467b55bcdb81dd592a335d595b0

SHA512
0b855f0b9816b0c3f80b2d28274c202b3ea55510fbf82ab7382287c3ba5b462a143f3637597c60e8aba5f2f4a7cc75e5ee9e27e894c9821fe694fcfb91654369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f13d6328c946f185f38ba83346016409

SHA1
2d5b024533cd2d8103e03d1025f8c7eb9ea0e7a0

SHA256
6808cd44e703146c80ffbae69884a092e57c1ad5bb1eefc4bcdb644858ab54ac

SHA512
ee786843a9bab9d1791ee4fae62c29927d231bcbb57fb46eecad2c9dbae42c9ab45ac488b84de26d4d78661a9bb74654f2e6a67bd136e4dc3d4cc5dd638d0f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6e451dc50aa54956ec8ebd7ff284181d

SHA1
23329c6a24c0d8329208d18be571889ef8379ed7

SHA256
e5c540c1a3272789f600a5cb465749c2d5a29da81ce660fa3257a8c2ca26c676

SHA512
349f2985f5fc12a4af9eb6b1197991ef8112164371ef04ab45749ffaf0652d462f5e047da44fae37c4191505c360e7ba579889ff283e736ee49b4a2bd715fd0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
0b25a3677e400bf4764865c7ed82c9e7

SHA1
4523e146598a74d73c8a8cb15082dd22a91b7454

SHA256
cf23a9f3f07ca2368471f64dc44692ad2fb95d2668089170742db7c7771594b2

SHA512
5a9597870b2df52e066af5b3ae1da6af6c38baa2a056bb9ea5eaf30361e9d3982abc5a7cc178ad79ee52260bc94194bce394ef0300ed923b475edb97d4321b0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
68dfe972fcae9a78858fff5abd8ff0eb

SHA1
fd35edd0d6dda685cbf1392dc1b701907f338e7a

SHA256
3e2c0f8662d3153fe8083f78b33d7fc269664ddbdc1fec1592dd42bc687b55a2

SHA512
b8800d03b666bffcab56efe9a9d3944cecade0d0d6e4597fb214e088380ead321ca71f1e479bc3097c1b228a7b5d0564bbff1f0d71fd5e765226c2fc5699b006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
b3a4fa5a3f3fdde8129fc9d653857af9

SHA1
905b76161f4ee764e149479e9dc02ab51e9d12f1

SHA256
38e25de3bd299e739b7dfd42525edf114c2b8b55b43b03b971d16cf374da6baf

SHA512
0b1a68c78c5d7b29e8b88e2364d50e7b21783c8ce8af5ad04628beed4e5aac0017e17df1a80afb98f7b596ab98834b4d0824db77dc1760a5c2fdf0fe5b3dce53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
9b7ef3ffcdb750df860049aaee5a6310

SHA1
92b420f6fac3baa24c94cc3df4f9183811bb9655

SHA256
700711e9d8f7c6479658cb3ac92e3fca382ba4e334dc10efb5630c0b4d30b2c8

SHA512
527cc76a5ebf3db14df8912a7aed4fbbbca728778cd5a5642beecd54d089b8e041dd9bd95a65e99b0745955dc3dfd65a4615020671709e0d6606040b97bbf24f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
bcbc0c9e3c86bdfb76c8a3bc242660a7

SHA1
bb572efada275974fb1617fcd9c9e7dd69a7fd77

SHA256
c5af1d5a84f398a0f93ec80eb3476bcc448caf9f0228dfb032a47b09a5722fb5

SHA512
2a6ac9fe94462647fe9bfc5696992746f8a45439854429e8998570337c942dc968b3ff71e8378b3aab70f20fb7c58ca32c9bc20398e609741129fcd43dab02c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
d320324a7b5d4cab1157572cafa1ce51

SHA1
681b5a50c3e211f99fefd6d4bab708ec19d3b6ab

SHA256
ffe1e10f0bd08fc15f58460763faf1865a52fb77c4549d30f9e7ef97722b93ab

SHA512
12b4b1f766276bd263a5af2dae656c0968a6ed85b93bbdd4f5d7972772490f1461b36ab0f8589c05c5a0e7bd4a60e19291798d6cfb1ccbb4b4280c3397c345b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
08edcce8481d5fb1690737d888da903d

SHA1
1e888b041960b093629cbfbd7be2c09308e86b94

SHA256
43d9680ec9b2dfd2fc41327ed7403ca71f6c3715a229d1b09c4e1cf687364f33

SHA512
0c9e9220de820d58c54ac5f375292dbb1f4577f5cb54038419966e0cbb4cf00b58f5b3536a81ed90028ba61d7eb8d15a534372783589a26aaee4d98c1baabe7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
f6f58e619d0bdd7fbad27e1625eafbb4

SHA1
94117143a71e33108ba73593ec7b5014c256e19c

SHA256
c6128d04c9e630f49db233497c07a06bb829ce437112dd6421e72091495a5052

SHA512
2820189928cc309c72bc7cbca8587b0adae75f9e0339c6be9389dfead620ef0553e497828e996dd308354c88fb34aa7225aa8f2f032adf6b7a1bade7923ea8d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59817b.TMP

Filesize
88KB

MD5
3586d6c8ca880f4b2d0449c660aca735

SHA1
538b9bf1fb68388b144c6e9723a559f7dc8e9b17

SHA256
6315e9464201c1538f6d8b4dc0ee54f6e6385cc24f7e42fb37291d955406cfc3

SHA512
4c4cd46ecd13d076992c509a94e742562377760a551459f5f9fde11b6d119f9a55ec23114448c854f9555c72260753351a06130f7cb50c73e280fa0fa7e23a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c69e88a110a2555b24b1d9898e00b36d

SHA1
2f0527b132c11185513ba72920b868451fdc3cd6

SHA256
a109bdb7100a58b4f027a31c34f74610f6a9d28b0d0126af2ef9a7b289e80623

SHA512
534c1214aa2dce7faa26c138c3a73d290be9a4f24de339de67e4baca25c43a782ce2326418fcfb962580177c646b882ae801247c8cd5d825cc81d74af8d5b458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d8f10b0d24ee870b89789992dada25bf

SHA1
c643fcd06d27546467d47b88b4d56c2d1fc80aad

SHA256
6bf825859a8bef66e28f70f4e82594f896306473e064e11e34b00514252746d3

SHA512
3e1037371d66d5019a5b3f418a0c35915e49e08ec15c45c76fb43f5539424d904013099cd1fee0a4e7c1f34835adb9a0416d2c1fe7b479def2d328ff4abd0107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
172cfc25e875d5930d0eaec1f5793d74

SHA1
a8da25ae49572f084b48c72479f2e74e27defb87

SHA256
4ff148ba1bd1a3fb2c078cd018a68781e831718c45dd5ccaa3e8731e155a81f8

SHA512
969eb281bcf7617d5611eaa014a47946c6feb3ea0ad632ce90717ec07af248c8710b3372e3ed4bfe61eb538bba8fd2b4cba3f671a84d8a3703b54b3a1cee1e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
881B

MD5
cba0068209507dbcff96d0c1eed26c56

SHA1
04c685780b54c28a25fd1f728d985625b2720712

SHA256
76fbf9458ed107abd068878abeea45f78475cb7da696f85e5ad0c8657a3907ef

SHA512
e460bfc245499329a2e14f8f89828f4b8990cefa1011d7dff8e2fd6a9eaa09a895d6558180ba4ec29d736df189a506dee060825a3c00e684d0dbd9cb7d66827d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e5f7956c5aa5dec28e0a3b128c4a638b

SHA1
d8938b5854d576ead1208587588dfa3db8d5aae5

SHA256
614c64b7b1a4bf3e60973495cda6000e1559d462a5755c232015ee702202acb3

SHA512
e40e54b1fac4d8abdb4b65f734b6b1bd955bbe5163645da14875ff004b1a95286dde024e36113331c816e9514dbfb1a928225a60bcd7473a393e797a6f4ef6eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6a843e91dc86a89b340e3b7d38ee8b96

SHA1
43bc996559405cdbd76fa1fa0e5d6d493074533c

SHA256
c77628288f8796500f0b46ce3584d6174efcfad858ac0b5d59a119bb1800e820

SHA512
cd6093f59439d18f5993a40d624968c41193ed18819b37a19c9858292c121b1b0ddee9d700c01f58b72b4e7e3a3044e52a2533347498615b85f321a9f5fea1c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c7111dccd96bee8b43847bb9b699f2c

SHA1
d8f3abfa1961e5618211423a4e33585f369f6db4

SHA256
161f0183148eefd66ea995f2296b322920ecb8a0bbb6c39a50f0707991561928

SHA512
2bd2680543893b489c08a24b84d3b018ce090cd99314a9edc2feec66b19954c79d05a8b0e07486504a94fa903cb201e890f498d62adfd66d46b84f79ab8c7fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b95ea7d6ab26cc464dceb24b27fa50b

SHA1
7b82ca8081f380ba966d2f3714df18f20faa99ec

SHA256
234d6398bd1e40d3c97af182199b6b69a1b57c8d22571ce33319da4f68e04362

SHA512
564057bbafb5f12b33d1b25fb7443e1b01020035f9cb978df1962d42846222761d9e0c3b5858e958566cdb3a89ec91d868834bf4f99ef3a36725d88b3809cf9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0aaea65d33dc3f8f6792648f4cfe83c7

SHA1
6a9912df5c2193742f824de8c5a0dde1e414c55c

SHA256
89ea9e4b09314bfd5dd2bc6d05fa5feae34acb85819a81c48681b143d3af4b98

SHA512
dde150fe6c1985bc0a9b299d3d904edc0cc56c89bd96be53709f1639489cf2c1186a10abaad251f528fb60e6955f66c6fd5fbbbff3d8c63adf9d8555aaee9dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9cf661ba161246cc7ddee4519fd0f589

SHA1
c190cab792b13191f6d1a5754886a68c0c7627bc

SHA256
addf562f17a8cc6c5a057242a77d7651059b9f9aca06ebeb4b0c415b3bcb51f6

SHA512
f78668983a0a9722ba161fde8efa2a394f673c3fa6c5f23c2e673bc4b634059b8da3b4111ebc16fabe46446ceb6741a3f32d374d36f499e5a12aff6e2ad4b83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb629cf85e00cc46768c006a991631c8

SHA1
751a2629b690e228dd0dae7f8b00b010a356a9c1

SHA256
bf27beb935a1c2520d65cbe66f0e45d9fcd6721384d84d613510613e95b03db6

SHA512
169d39cc0d81b9de0acd3b22586f5b6c3f05117bf8a659ed4616be1c73aa4ebc03a19d61c6c5a08ead271054fd4a3de5c5afca80a170cd1cc3b78c292d44876d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f219b6da8d3bed22aa202ad892cefcd0

SHA1
e4b69c5d71d0e39e3044dd94435874d0705db6d9

SHA256
7928422da1591f24478704ca317b5c205664ab265faf994b62f9b8055e0206d1

SHA512
7ae00de8fcfb8696c4a93a7ccdf19ffaa46aa4a022f8f8a585b5ac6bfb3a40aac72948c0eff22b461640df63889248decd7adbfbcfd9b51ffbeabac47d721b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9baaec7df35979f8758ea23edd5bafe1

SHA1
4a413a0e5e49a4a08b43c2ba2bb875164cd945a0

SHA256
a083e95df5e8df90d5a9d81082ef8521bd47ffc32c7ba9734cf02cf09f40488f

SHA512
4f7a332052d2f69cd310e4ac2e4482228b382a1515bfef1e4bb4b2e82fb22570eddb9b269649edf75ca8b3059a710713e69084399e549b22235c8e33835c0abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a4d5471200c393767fce2c6d54c204e3

SHA1
32234301dc8bcd306abaf2e52f20fb31d19eabfa

SHA256
e816556e681ff01129d75df91d39555a11ca67d292365be35c634fe1c3363fff

SHA512
589ba787ae5bb588ba0915b486c8beddb83d786cbbd6f0ffba0f6481b8e1675d360a82b376f01c17ce92ae5b493a93083e0921d4d1f330b8ab5cc97e3a4cf77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a4034765314099c32f39ffe09e21e2ec

SHA1
2f779dc62cd6237df924e7bdb294d0703f175f3e

SHA256
a6c5eb681be7d6a9fe60676d5b4d93363318377b3a7e5aa7e9d32b11a0283c62

SHA512
1de02012d4932c12ebb2ebb669d898f9acf962b4501611b0be6736d92f519c3a5f6964d39f77c8a2b66608a72cee52490f72f214051388dcef48e393a135aa65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe620c6e.TMP

Filesize
1KB

MD5
889a8e59a78848738583447fd962f49d

SHA1
5f233b0e572e4d9176e9b17b99fdc5ccdb195b1a

SHA256
c05403731cb30b6860df1a132bbcbd53f6c20094b34bc92e235270be3c8e1ac1

SHA512
f3224f59772526b5efaf942a7ac63a774a03f56a14adb92edafde4004bed19fcb0484269b8dc55f9fa1dcdc2e71ea03d5570c9975f66155547ba4889271b6238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ed9ff35d-8839-444d-9b01-25a3aa8f3359.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
17KB

MD5
913728da90cf90d8e78af59c60b47c3d

SHA1
f42f2a545d4fcaf4f76d0f060f52e33a47df7f1e

SHA256
b0b478f9aa6aaf8d5811e296047ae1f8ee07f4c4998fe9d7b960755ea1fafb82

SHA512
3af86e053dd56aef03e6f967a49b1a0d492616a71e2e49090e0c8e5cbe58ff37ccc55e91f06bf34096059a49f3de84b0bca587f3f17c366f97c0f7a0fd17c974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
22KB

MD5
1ac9e744574f723e217fb139ef1e86a9

SHA1
4194dce485bd10f2a030d2499da5c796dd12630f

SHA256
4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e

SHA512
b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
16KB

MD5
2ac0e9550a06af37db2959aabfc084e2

SHA1
1949433519c9d587f66d317018a2fb2538973df9

SHA256
f077596d48d72f781d8dec4803c6b360e0a6d193758952e70a8a42f309595d91

SHA512
cc943996eb97d1f64408d9c66290e65d7ca499d318cde1492afe46e461964fba97b3c01bd884e23b63870e3808682f981345de7eced62025ca2be58d5d82a43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005

Filesize
17KB

MD5
fc97b88a7ce0b008366cd0260b0321dc

SHA1
4eae02aecb04fa15f0bb62036151fa016e64f7a9

SHA256
6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e

SHA512
889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000006

Filesize
16KB

MD5
a1915da4a339aabc49f7f52ad9250e23

SHA1
4167efd629e7c4afc98807091859344a2e004b19

SHA256
3a3313e4266585271635d66c19fe0400433a5844ce30fefa00a59da9070d7244

SHA512
9853006133be34733e23c7f7dfe1ca5df5ce02f9eee3d709b97aafee2e0c9293d9107519a1dd9f9337b2b228d5fbf504ad6865b3cc2710b6db9d24990e164533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000007

Filesize
17KB

MD5
d22cb8682c6c279a568ed39bdc634f0f

SHA1
677360e899085b1fe7af0098575842261a6d854a

SHA256
78b575d52c9342adcc7b89ee8545e0577169b0d520a9924c7d53bc3587b240e0

SHA512
2ad0f705556abae3edb620d4370c1e72c749935d6ec079a10272ba2cbfe42d06a67f6fa1c3d80755aef9419391f701e98d479e946708e26980497f438b154ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000008

Filesize
16KB

MD5
f55234db88c6538e3f4ad45c114435f1

SHA1
c4dba9a32f50f2d9a27ce81a1d62f7587751e6b6

SHA256
bf139ca7efd187c36f3ec33691f427205a63ca2707af18bc25430637928d713a

SHA512
8a621fa5044977bce987b8259dc850faf83f4e82f4df1a7a689dbbb0b9b065676842f7ac462b77f66c3ef892c3272960bf5de4c0dd4f02e85430b368867feda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000009

Filesize
16KB

MD5
e7f884f3e93b33420a307305edb14ed4

SHA1
b951204502dda9221b5089da9e56107383736b60

SHA256
e72ee977216ccc0e7cc260bcda1051d9525987c831339146979b278dbf5cdb9f

SHA512
4fe25ef726acdd7f8917f2dfddb0390f30b7611ae510d88ac56f6d527a122a667973be34e74ce364aadd5d9ec9d4fe340e3aee186ee9c50bf93c13af6ee8f503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
207d24c62853e1be9ecff4de0a0399e3

SHA1
4657166db67b336966c86bca2afe0ed1f76974e5

SHA256
25869b63cdf89718d7b018dceffbc74db4b74621cc8ec7dafe8ace26f1276ddb

SHA512
bebe5ca9d98a465608856155a0e3fbc3eee41bb74c7d026e86505f72f337f9fb352a84003b64462625afcaed43b57edd086c43cc889b86082bf533d57c61f5a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a46a1faf49719b71263b07d3fe573192

SHA1
676a56190101ebf0aff58bdfce4ec1abf68e6667

SHA256
93ed27b6c358e3903a8ee778110bef391be4c55a4a1ebe7d507e122a05fcb026

SHA512
ead9a556aeb01e4c7d60506f5a71a0441a47fa22cc2ea373fe045c92b77d1f86dd3aca117a219abb4b6601ac5b9cd8278631ba42ce69c773b6860244b07e3eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
52ce1d89de0dc0c393e7b1db4c2a94ac

SHA1
37d1f47baf608a2648d01215509c4829624a85a7

SHA256
76a54ff84fea0f0a9b8f48674fcf3127f12172c6b88414512255d348952ad05f

SHA512
adc2e8838fa42f212156aca27ef2c7815e3dd0f42981fe199ac2da8ee32826b80351de8fe87a0e987fcb9fed86e16082c5cce90ff0449c83c51b78728a704419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f54ab4cde4878aa0ac4af0a786fc9a86

SHA1
6c6e097c12fc105883e210a47e9d6c5f3d7d9db2

SHA256
b16d2dd04ed3cafca8b56176209ea6636bf4ee268febe0e3d0db05161232bdca

SHA512
4da0c7329359d118dd29225f2d22e5c160ca933409e4d76934af35693d99476497ce1b560667e4b2c34ef5c1551cd440dd7b30472b6941f5b1f0c72e73774d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88e0c10325284779ef259b18004f42e4

SHA1
88acb1f58d4c1021ad8676ba75ee554ad076269e

SHA256
77273905f3af4632c51f211ededbfb86e8b135f0e5a687b0b81e83506734d207

SHA512
02e9eed5bdfbfbb231cbf1c6a42865c1b59397e3c2f05f7762f5a671c22000c55f29218217558771e481fd1cce6606d0ac562e231bef42922f6d245be0bfebe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
75a26637973043281581b510a49bf7aa

SHA1
01244bbbc3f9c03fb3cb9d648cb016987afe3b3b

SHA256
2e8f476d7a8122f7673acc87abd84521180aba1ea58d2f39741aa7f089eff721

SHA512
be02fdfa71639b4dd98f75159288b8e0c009731a0a6c0c38ca37bfc6e01b4f9974943b028ffa36d8b15a19ab56452b4d0446ecb61a00d7de8b420076cd26e613

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133611842356499908.txt

Filesize
78KB

MD5
bf5251ecaa51ce18a395c84c35d765d6

SHA1
313050a576fa14b6fdda5b81c445cf26eec2f577

SHA256
7e1c346ada1487293c6abc9040a26fce266956273f974584eb7e016cce829484

SHA512
8876d23d4daf82430efccc320426814cdfcb9fc1e523c62e8c3d90229a265dd558b7fe8d2281c1615f5f4e0ec101189bfcb7568e9956f57d3466aaf72295f64f

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\938199ca646378b696716037afc964ba

Filesize
5.7MB

MD5
938199ca646378b696716037afc964ba

SHA1
2d865bfeccf3badef2f64e5d6453e6ab71d5f5a7

SHA256
2acc3e0879e4a71a6b08e2d6af7b238198d2eda73518b9394d82d00b010c9d7e

SHA512
1a37727c5dfaffa3023845592b400acc226face537176064698b8415d79284b6276fe68bf0e5870dc8898a846f923bd95eaac1d185613759ad6ca1068456b322

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
4566d1d70073cd75fe35acb78ff9d082

SHA1
f602ecc057a3c19aa07671b34b4fdd662aa033cc

SHA256
fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

SHA512
b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 141018.crdownload

Filesize
5.3MB

MD5
f8abc05327115c321307efaf662498bb

SHA1
4d848adb9b0a5b278f97f75fa125145dcbffd572

SHA256
c89eda2b48317bd4da398d59213d86afa0c06034cab5e3ea5df5865e369d2a0f

SHA512
a6b70331ad553645cd82edc5f6bfa50b4bb16bfc2443469c7eb1ff79e6b4a246cfd7de0691da400777651529a2bca20311645a763dffbf7e10cc4334ab074ae4

Download Submit
memory/3112-1739-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download
memory/3112-1603-0x00000000735D0000-0x00000000737E0000-memory.dmp

Filesize
2.1MB

Download
memory/3112-1569-0x00000000735D0000-0x00000000737E0000-memory.dmp

Filesize
2.1MB

Download
memory/3112-1568-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download
memory/5044-1778-0x00007FFBB8790000-0x00007FFBB879E000-memory.dmp

Filesize
56KB

Download
memory/5044-1787-0x00007FFBB7010000-0x00007FFBB7020000-memory.dmp

Filesize
64KB

Download
memory/5044-1746-0x00007FFBB9720000-0x00007FFBB9730000-memory.dmp

Filesize
64KB

Download
memory/5044-1747-0x00007FFBB9720000-0x00007FFBB9730000-memory.dmp

Filesize
64KB

Download
memory/5044-1750-0x00007FFBB9770000-0x00007FFBB97A0000-memory.dmp

Filesize
192KB

Download
memory/5044-1751-0x00007FFBB9770000-0x00007FFBB97A0000-memory.dmp

Filesize
192KB

Download
memory/5044-1752-0x00007FFBB9770000-0x00007FFBB97A0000-memory.dmp

Filesize
192KB

Download
memory/5044-1753-0x00007FFBB9800000-0x00007FFBB9805000-memory.dmp

Filesize
20KB

Download
memory/5044-1754-0x00007FFBB7700000-0x00007FFBB7710000-memory.dmp

Filesize
64KB

Download
memory/5044-1755-0x00007FFBB7700000-0x00007FFBB7710000-memory.dmp

Filesize
64KB

Download
memory/5044-1756-0x00007FFBB7790000-0x00007FFBB77A0000-memory.dmp

Filesize
64KB

Download
memory/5044-1757-0x00007FFBB7790000-0x00007FFBB77A0000-memory.dmp

Filesize
64KB

Download
memory/5044-1744-0x00007FFBB9610000-0x00007FFBB9620000-memory.dmp

Filesize
64KB

Download
memory/5044-1758-0x00007FFBB77B0000-0x00007FFBB77C0000-memory.dmp

Filesize
64KB

Download
memory/5044-1759-0x00007FFBB77B0000-0x00007FFBB77C0000-memory.dmp

Filesize
64KB

Download
memory/5044-1760-0x00007FFBB77B0000-0x00007FFBB77C0000-memory.dmp

Filesize
64KB

Download
memory/5044-1761-0x00007FFBB77B0000-0x00007FFBB77C0000-memory.dmp

Filesize
64KB

Download
memory/5044-1767-0x00007FFBB7610000-0x00007FFBB7640000-memory.dmp

Filesize
192KB

Download
memory/5044-1762-0x00007FFBB77B0000-0x00007FFBB77C0000-memory.dmp

Filesize
64KB

Download
memory/5044-1768-0x00007FFBB7610000-0x00007FFBB7640000-memory.dmp

Filesize
192KB

Download
memory/5044-1785-0x00007FFBB8C30000-0x00007FFBB8C3B000-memory.dmp

Filesize
44KB

Download
memory/5044-1788-0x00007FFBB7110000-0x00007FFBB7120000-memory.dmp

Filesize
64KB

Download
memory/5044-1749-0x00007FFBB9770000-0x00007FFBB97A0000-memory.dmp

Filesize
192KB

Download
memory/5044-1745-0x00007FFBB9610000-0x00007FFBB9620000-memory.dmp

Filesize
64KB

Download
memory/5044-1748-0x00007FFBB9770000-0x00007FFBB97A0000-memory.dmp

Filesize
192KB

Download
memory/5044-1786-0x00007FFBB7010000-0x00007FFBB7020000-memory.dmp

Filesize
64KB

Download
memory/5044-1782-0x00007FFBB8C30000-0x00007FFBB8C3B000-memory.dmp

Filesize
44KB

Download
memory/5044-1781-0x00007FFBB8C30000-0x00007FFBB8C3B000-memory.dmp

Filesize
44KB

Download
memory/5044-1780-0x00007FFBB8C10000-0x00007FFBB8C20000-memory.dmp

Filesize
64KB

Download
memory/5044-1779-0x00007FFBB8C10000-0x00007FFBB8C20000-memory.dmp

Filesize
64KB

Download
memory/5044-1777-0x00007FFBB8790000-0x00007FFBB879E000-memory.dmp

Filesize
56KB

Download
memory/5044-1776-0x00007FFBB8790000-0x00007FFBB879E000-memory.dmp

Filesize
56KB

Download
memory/5044-1775-0x00007FFBB8790000-0x00007FFBB879E000-memory.dmp

Filesize
56KB

Download
memory/5044-1774-0x00007FFBB8790000-0x00007FFBB879E000-memory.dmp

Filesize
56KB

Download
memory/5044-1773-0x00007FFBB86E0000-0x00007FFBB86F0000-memory.dmp

Filesize
64KB

Download
memory/5044-1772-0x00007FFBB86E0000-0x00007FFBB86F0000-memory.dmp

Filesize
64KB

Download
memory/5044-1771-0x00007FFBB7610000-0x00007FFBB7640000-memory.dmp

Filesize
192KB

Download
memory/5044-1770-0x00007FFBB7610000-0x00007FFBB7640000-memory.dmp

Filesize
192KB

Download
memory/5044-1769-0x00007FFBB7610000-0x00007FFBB7640000-memory.dmp

Filesize
192KB

Download
memory/5044-1784-0x00007FFBB8C30000-0x00007FFBB8C3B000-memory.dmp

Filesize
44KB

Download
memory/5044-1783-0x00007FFBB8C30000-0x00007FFBB8C3B000-memory.dmp

Filesize
44KB

Download
memory/5044-1765-0x00007FFBB74A0000-0x00007FFBB74B0000-memory.dmp

Filesize
64KB

Download
memory/5044-1764-0x00007FFBB7390000-0x00007FFBB73A0000-memory.dmp

Filesize
64KB

Download
memory/5044-1766-0x00007FFBB74A0000-0x00007FFBB74B0000-memory.dmp

Filesize
64KB

Download
memory/5044-1763-0x00007FFBB7390000-0x00007FFBB73A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads