Analysis
-
max time kernel
692s -
max time network
699s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-05-2024 09:15
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x00040000000309ff-12850.dat family_umbral behavioral1/memory/5540-12901-0x000001C637790000-0x000001C6377D0000-memory.dmp family_umbral -
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe -
Executes dropped EXE 48 IoCs
pid Process 4672 windowsdesktop-runtime-6.0.30-win-x64.exe 1320 windowsdesktop-runtime-6.0.30-win-x64.exe 3636 windowsdesktop-runtime-6.0.30-win-x64.exe 1524 windowsdesktop-runtime-6.0.30-win-x64.exe 2416 windowsdesktop-runtime-6.0.30-win-x64.exe 4548 windowsdesktop-runtime-6.0.30-win-x64.exe 2772 windowsdesktop-runtime-6.0.30-win-x64.exe 6444 MicrosoftEdgeWebview2Setup.exe 6900 MicrosoftEdgeUpdate.exe 5744 MicrosoftEdgeUpdate.exe 6936 MicrosoftEdgeUpdate.exe 5308 MicrosoftEdgeUpdateComRegisterShell64.exe 5656 MicrosoftEdgeUpdateComRegisterShell64.exe 7156 MicrosoftEdgeUpdateComRegisterShell64.exe 6032 MicrosoftEdgeUpdate.exe 6076 MicrosoftEdgeUpdate.exe 5992 MicrosoftEdgeUpdate.exe 3588 MicrosoftEdgeUpdate.exe 4612 MicrosoftEdge_X64_125.0.2535.67.exe 3132 setup.exe 4924 setup.exe 4568 MicrosoftEdgeUpdate.exe 5760 RobloxPlayerBeta.exe 2868 Bloxstrap.exe 5008 RobloxPlayerBeta.exe 6224 Bloxstrap.exe 5144 RobloxPlayerBeta.exe 6980 Bloxstrap.exe 520 RobloxPlayerBeta.exe 6736 RobloxPlayerInstaller.exe 2920 RobloxPlayerBeta.exe 5392 Bloxstrap.exe 5932 RobloxPlayerBeta.exe 240 MicrosoftEdgeUpdate.exe 6708 RobloxPlayerBeta.exe 5208 RobloxPlayerBeta.exe 6700 MicrosoftEdgeUpdate.exe 5540 Sha Executor V2 (1).exe 4320 MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe 3120 MicrosoftEdgeUpdate.exe 3156 MicrosoftEdgeUpdate.exe 6336 MicrosoftEdgeUpdate.exe 2076 MicrosoftEdgeUpdate.exe 3708 MicrosoftEdgeUpdateComRegisterShell64.exe 4336 MicrosoftEdgeUpdateComRegisterShell64.exe 3804 MicrosoftEdgeUpdateComRegisterShell64.exe 368 Sha Executor V2 (1).exe 5924 MicrosoftEdgeUpdate.exe -
Loads dropped DLL 64 IoCs
pid Process 1320 windowsdesktop-runtime-6.0.30-win-x64.exe 2416 windowsdesktop-runtime-6.0.30-win-x64.exe 4548 windowsdesktop-runtime-6.0.30-win-x64.exe 4340 MsiExec.exe 4340 MsiExec.exe 1220 MsiExec.exe 1220 MsiExec.exe 1592 MsiExec.exe 1592 MsiExec.exe 4680 MsiExec.exe 4680 MsiExec.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1284 Bloxstrap-v2.5.4.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{b2b66c6f-6c27-49d1-846a-6c27d322b9bb} = "\"C:\\ProgramData\\Package Cache\\{b2b66c6f-6c27-49d1-846a-6c27d322b9bb}\\windowsdesktop-runtime-6.0.30-win-x64.exe\" /burn.runonce" windowsdesktop-runtime-6.0.30-win-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerInstaller.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 113 camo.githubusercontent.com 115 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 18 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 8 IoCs
pid Process 5760 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 2920 RobloxPlayerBeta.exe 5932 RobloxPlayerBeta.exe 6708 RobloxPlayerBeta.exe 5208 RobloxPlayerBeta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\key_single.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\webview2_integration.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\Locales\bs.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\AvatarEditorImages\AvatarEditor_LightTheme.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\dpadDown.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\TagEditor\VisibilityOnDarkTheme.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Settings\Radial\Menu.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\TopBar\iconBase.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.30\ja\System.Windows.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\PlatformContent\pc\terrain\materials.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\DeveloperFramework\checkbox_unchecked_light.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\LayeredClothingEditor\Icon_MoreAction_Light.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\Locales\tt.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\LayeredClothingEditor\WorkspaceIcons\Cage Mode.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\StudioToolbox\AssetConfig\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\TerrainTools\icon_shape_sphere.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\AlignTool\button_center_24.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Translations\UIBloxLocalization.csv RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Chat\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ViewSelector\back_zh_cn.png RobloxPlayerInstaller.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.30\es\ReachFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.30\System.Threading.AccessControl.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\Locales\sr.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\configs\DateTimeLocaleConfigs\en-gb.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\RoactStudioWidgets\toggle_off_dark.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\XboxController\ButtonRB.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-online-14x14.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\PlatformContent\pc\textures\water\normal_14.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\localizationTargetSpanish.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaApp\icons\[email protected] RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\copilot_provider_msix\package_metadata setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\fonts\GothamSSm-Book.otf RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\VoiceChat\SpeakerNew\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\VoiceChat\New\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\VoiceChat\SpeakerLight\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaApp\category\ic-top rated.png RobloxPlayerInstaller.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.30\System.Net.Primitives.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.30\System.Security.Cryptography.ProtectedData.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.30\WindowsFormsIntegration.dll msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Settings\LeaveGame\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\advancedMoveResize.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\AvatarImporter\img_dark_RthroNarrow.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\AppImageAtlas\img_set_2x_13.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.30\.version msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\xboxX.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\PerformanceStats\OvalKey.png RobloxPlayerInstaller.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.30\System.Runtime.Intrinsics.dll msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\Cursors\CrossMouseIcon.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\R15Migrator\Icon_Error.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaChat\graphic\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\mip_core.dll setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\DesignSystem\Thumbstick2Horizontal.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaChat\icons\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\VoiceChat\SpeakerDark\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.67\identity_proxy\dev.identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Emotes\Editor\Small\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\Emotes\Large\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\content\textures\ui\MenuBar\icon_standing.png RobloxPlayerInstaller.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.30\it\System.Windows.Forms.Primitives.resources.dll msiexec.exe -
Drops file in Windows directory 38 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{E80165F8-5F40-42C5-82CE-BE934C750771} msiexec.exe File created C:\Windows\Installer\e5ac51f.msi msiexec.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\Installer\e5ac516.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFF30.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5ac525.msi msiexec.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\Installer\e5ac51b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF15C.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{543852FC-D0E4-481B-B2B2-BEB271DED058} msiexec.exe File opened for modification C:\Windows\Installer\MSIF865.tmp msiexec.exe File created C:\Windows\Installer\e5ac524.msi msiexec.exe File created C:\Windows\Installer\e5ac529.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC852.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{63F2E1E5-10EC-4F55-B92D-D65A7AA41A15} msiexec.exe File opened for modification C:\Windows\Installer\MSICFC6.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5ac520.msi msiexec.exe File created C:\Windows\Installer\SourceHash{D624CDFC-3CDA-47F7-9F84-A3CCB8D3396B} msiexec.exe File opened for modification C:\Windows\Installer\MSI3BB1.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5ac51a.msi msiexec.exe File created C:\Windows\Installer\e5ac520.msi msiexec.exe File created C:\Windows\Installer\e5ac525.msi msiexec.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\e5ac516.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE64E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICDE.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5ac51b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEF0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF344.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFAD7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI442.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxPlayerInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxPlayerInstaller.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox RobloxPlayerInstaller.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1B msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CFDC426DADC37F74F9483ACC8B3D93B6\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine.1.0\CLSID\ = "{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\CLSID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "Update3COMClass" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\PROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CLSID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.120.13561_x64\DisplayName = "Microsoft .NET Runtime - 6.0.30 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b2b66c6f-6c27-49d1-846a-6c27d322b9bb}\Dependents\{b2b66c6f-6c27-49d1-846a-6c27d322b9bb} windowsdesktop-runtime-6.0.30-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CFDC426DADC37F74F9483ACC8B3D93B6\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\AppID = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{2B1FB716-E7AB-41D3-ABFA-139408E0E970 = "0" browser_broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ELEVATION MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.120.13561_x64 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F56108E04F55C2428ECEB39C4577017 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a00c46e8dfb0da01 MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\ = "Google Update Policy Status Class" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusSvc.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\CLSID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\294DDB4BC9A544E78DABA36D0D6D5AF5 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe.7khfu4p.partial:Zone.Identifier browser_broker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3324 msiexec.exe 3324 msiexec.exe 3324 msiexec.exe 3324 msiexec.exe 164 chrome.exe 164 chrome.exe 3324 msiexec.exe 3324 msiexec.exe 3324 msiexec.exe 3324 msiexec.exe 6900 MicrosoftEdgeUpdate.exe 6900 MicrosoftEdgeUpdate.exe 6900 MicrosoftEdgeUpdate.exe 6900 MicrosoftEdgeUpdate.exe 6900 MicrosoftEdgeUpdate.exe 6900 MicrosoftEdgeUpdate.exe 1140 Bloxstrap-v2.5.4.exe 5760 RobloxPlayerBeta.exe 5760 RobloxPlayerBeta.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 2868 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 5008 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 4588 MicrosoftEdgeCP.exe 4588 MicrosoftEdgeCP.exe 4468 MicrosoftEdgeCP.exe 4468 MicrosoftEdgeCP.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4760 MicrosoftEdge.exe Token: SeDebugPrivilege 4760 MicrosoftEdge.exe Token: SeDebugPrivilege 204 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 204 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 204 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 204 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2972 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2972 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeShutdownPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeIncreaseQuotaPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeSecurityPrivilege 3324 msiexec.exe Token: SeCreateTokenPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeAssignPrimaryTokenPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeLockMemoryPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeIncreaseQuotaPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeMachineAccountPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeTcbPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeSecurityPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeTakeOwnershipPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeLoadDriverPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeSystemProfilePrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeSystemtimePrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeProfSingleProcessPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeIncBasePriorityPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeCreatePagefilePrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeCreatePermanentPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeBackupPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeRestorePrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeShutdownPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeDebugPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeAuditPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeSystemEnvironmentPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeChangeNotifyPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeRemoteShutdownPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeUndockPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeSyncAgentPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeEnableDelegationPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeManageVolumePrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeImpersonatePrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeCreateGlobalPrivilege 2772 windowsdesktop-runtime-6.0.30-win-x64.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe Token: SeRestorePrivilege 3324 msiexec.exe Token: SeTakeOwnershipPrivilege 3324 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4548 windowsdesktop-runtime-6.0.30-win-x64.exe 1140 Bloxstrap-v2.5.4.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 6224 Bloxstrap.exe 6224 Bloxstrap.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 6980 Bloxstrap.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2868 Bloxstrap.exe 6224 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 6980 Bloxstrap.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 5392 Bloxstrap.exe 2012 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 1140 Bloxstrap-v2.5.4.exe 2868 Bloxstrap.exe 6224 Bloxstrap.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 6980 Bloxstrap.exe 2868 Bloxstrap.exe 6224 Bloxstrap.exe 1140 Bloxstrap-v2.5.4.exe 6980 Bloxstrap.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 2012 chrome.exe 5392 Bloxstrap.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe 4968 chrome.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4760 MicrosoftEdge.exe 4588 MicrosoftEdgeCP.exe 204 MicrosoftEdgeCP.exe 4588 MicrosoftEdgeCP.exe 4540 firefox.exe 4120 MicrosoftEdge.exe 4468 MicrosoftEdgeCP.exe 4468 MicrosoftEdgeCP.exe -
Suspicious use of UnmapMainImage 8 IoCs
pid Process 5760 RobloxPlayerBeta.exe 5008 RobloxPlayerBeta.exe 5144 RobloxPlayerBeta.exe 520 RobloxPlayerBeta.exe 2920 RobloxPlayerBeta.exe 5932 RobloxPlayerBeta.exe 6708 RobloxPlayerBeta.exe 5208 RobloxPlayerBeta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4736 wrote to memory of 4540 4736 firefox.exe 80 PID 4540 wrote to memory of 4476 4540 firefox.exe 81 PID 4540 wrote to memory of 4476 4540 firefox.exe 81 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 996 4540 firefox.exe 82 PID 4540 wrote to memory of 2192 4540 firefox.exe 83 PID 4540 wrote to memory of 2192 4540 firefox.exe 83 PID 4540 wrote to memory of 2192 4540 firefox.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://workupload.com/file/uHQqfNQf33j"1⤵PID:956
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4760
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:2840
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4588
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:204
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:2228
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.0.592463552\1061995876" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1700 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4d7d1a6-c445-464d-a938-39dbd99572b8} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 1692 1ac46fb4158 gpu3⤵PID:4476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.1.1137047111\874930912" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e05eee52-2793-4e15-af6a-49a20c7078a3} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 2136 1ac34c71f58 socket3⤵
- Checks processor information in registry
PID:996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.2.280825770\1552978529" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8789eefa-4c38-48a0-84c7-0e039a1f580a} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 2892 1ac4b199658 tab3⤵PID:2192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.3.523179720\1027964215" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3444 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46160e94-2977-46d3-b5c4-814110b23f64} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 3460 1ac34c61f58 tab3⤵PID:64
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.4.460738224\39422304" -childID 3 -isForBrowser -prefsHandle 4388 -prefMapHandle 4384 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c440eb84-a7a8-4b9e-93ae-27fdc0f5f1da} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 3652 1ac4c2beb58 tab3⤵PID:2360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.5.1007485509\62975001" -childID 4 -isForBrowser -prefsHandle 4636 -prefMapHandle 4672 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d994c8c0-466d-4c18-bcb8-addfc2e3abe2} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 4904 1ac49710558 tab3⤵PID:2276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.6.1731882647\1022120104" -childID 5 -isForBrowser -prefsHandle 5048 -prefMapHandle 4848 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {645a7190-da51-401f-8e65-5fbf8d93e51e} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 5036 1ac4e82d558 tab3⤵PID:1040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.7.332905984\696464592" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee29ca36-3949-4461-ab79-0ff7c6ef8036} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 5232 1ac4e82c658 tab3⤵PID:3288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.8.834998959\388715060" -childID 7 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c13e6c1e-df9e-4202-a230-32a9a2233ea7} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 5608 1ac4efdbe58 tab3⤵PID:5080
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4744 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffffe5a9758,0x7ffffe5a9768,0x7ffffe5a97782⤵PID:2092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=480 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:22⤵PID:2352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:1192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:4796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:2472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:1832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:2388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:2360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5140 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=5432 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:4160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:4788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2980 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:4136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2968 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:4276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=888 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:4300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1032 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:2848
-
-
C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe"C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe"2⤵PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4992 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=2464 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:3996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=904 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3448 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:6272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5096 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:6664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5528 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:6620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:5764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5336 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:5648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4452 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:82⤵PID:6744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=5764 --field-trial-handle=1852,i,5757305532318923411,1581307036545499867,131072 /prefetch:12⤵PID:1320
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1960
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4120
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:204 -
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe"2⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\Temp\{BF2682B6-7959-44D4-A427-2B430C339FB3}\.cr\windowsdesktop-runtime-6.0.30-win-x64.exe"C:\Windows\Temp\{BF2682B6-7959-44D4-A427-2B430C339FB3}\.cr\windowsdesktop-runtime-6.0.30-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe" -burn.filehandle.attached=592 -burn.filehandle.self=5963⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320
-
-
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe"2⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\Temp\{CFCC0C73-DD8A-44F8-A2F3-A7727CA4F1BF}\.cr\windowsdesktop-runtime-6.0.30-win-x64.exe"C:\Windows\Temp\{CFCC0C73-DD8A-44F8-A2F3-A7727CA4F1BF}\.cr\windowsdesktop-runtime-6.0.30-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=5443⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe"2⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\Temp\{D81BF050-20CC-4F4F-BE79-7444FE4B079A}\.cr\windowsdesktop-runtime-6.0.30-win-x64.exe"C:\Windows\Temp\{D81BF050-20CC-4F4F-BE79-7444FE4B079A}\.cr\windowsdesktop-runtime-6.0.30-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.30-win-x64.exe" -burn.filehandle.attached=604 -burn.filehandle.self=6083⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4548 -
C:\Windows\Temp\{A5214E05-0E8E-4D3B-B2E4-A0CC56691E85}\.be\windowsdesktop-runtime-6.0.30-win-x64.exe"C:\Windows\Temp\{A5214E05-0E8E-4D3B-B2E4-A0CC56691E85}\.be\windowsdesktop-runtime-6.0.30-win-x64.exe" -q -burn.elevated BurnPipe.{20A22594-DFD9-419F-9578-15C9847B2662} {93D2D6E4-5540-41DA-A0F5-798ED19B8FBC} 45484⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4468
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:5100
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2B163F2347C3924C1C20B4F553FE88092⤵
- Loads dropped DLL
PID:4340
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 00A4870A10E73A34B9F066AB1A23C59A2⤵
- Loads dropped DLL
PID:1220
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 276E2EFE8EA29A6E759913B1A420E0D82⤵
- Loads dropped DLL
PID:1592
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BE604776DBAF38EC64B5A5073632EB832⤵
- Loads dropped DLL
PID:4680
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2284
-
C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe"C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe"1⤵
- Loads dropped DLL
PID:1284
-
C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe"C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1140 -
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe" /silent /install2⤵
- Executes dropped EXE
PID:6444 -
C:\Program Files (x86)\Microsoft\Temp\EU504A.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU504A.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
PID:6900 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Modifies registry class
PID:5744
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Modifies registry class
PID:6936 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:5308
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:5656
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:7156
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkM4Mjg5NDctQzU1Qi00RTNCLThDOUMtRUYxMzZCN0QwNkZDfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4NTM1NDYxQi0zRDk0LTQzNTktQjlGRC0wMkVCMTIyMTYwQTd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3ODk0NTk0MTg2IiBpbnN0YWxsX3RpbWVfbXM9IjEyMTkiLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Executes dropped EXE
- Checks system information in the registry
PID:6032
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{2C828947-C55B-4E3B-8C9C-EF136B7D06FC}" /silent4⤵
- Executes dropped EXE
PID:6076
-
-
-
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe" --app -channel production2⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:5760
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:5992 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkM4Mjg5NDctQzU1Qi00RTNCLThDOUMtRUYxMzZCN0QwNkZDfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFODRBOUFENS1GQUZDLTQzMzEtOTFEMS0xNzQyOUM4MEM5RjJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIzIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3OTA1ODU0MzE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3588
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4DDC7F6B-5A93-4849-AB05-4FD5DDC08D60}\MicrosoftEdge_X64_125.0.2535.67.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4DDC7F6B-5A93-4849-AB05-4FD5DDC08D60}\MicrosoftEdge_X64_125.0.2535.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:4612 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4DDC7F6B-5A93-4849-AB05-4FD5DDC08D60}\EDGEMITMP_CA0EB.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4DDC7F6B-5A93-4849-AB05-4FD5DDC08D60}\EDGEMITMP_CA0EB.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4DDC7F6B-5A93-4849-AB05-4FD5DDC08D60}\MicrosoftEdge_X64_125.0.2535.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3132 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4DDC7F6B-5A93-4849-AB05-4FD5DDC08D60}\EDGEMITMP_CA0EB.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4DDC7F6B-5A93-4849-AB05-4FD5DDC08D60}\EDGEMITMP_CA0EB.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.112 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4DDC7F6B-5A93-4849-AB05-4FD5DDC08D60}\EDGEMITMP_CA0EB.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.67 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ff7c6ac4b18,0x7ff7c6ac4b24,0x7ff7c6ac4b304⤵
- Executes dropped EXE
PID:4924
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkM4Mjg5NDctQzU1Qi00RTNCLThDOUMtRUYxMzZCN0QwNkZDfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5QjVENTZGOC1BRjA1LTQ5NDAtQTAwNS0yOTAwNjQzMDE2RjF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyNS4wLjI1MzUuNjciIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc5NDkzMTQ1MTIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3OTQ5NTU0MTk0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODI2OTYwMjU3OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDcwOGU3NzAtNTFhMC00ZDAwLWEyZjMtZDczNmRiODU4NmU3P1AxPTE3MTc0OTI4NDUmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VVhUdExqUHVyekhuUFdrakg2bkdFQmVteDZ3dVVhb3BBJTJmcUJXbHd1YWw0YnNlSW1Qbjc0ZXR3Mnl4ZTNMUnBzb1VzMDhMdU1ESUhxMGFyTmxCeG5GZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3MzgwODU5MiIgdG90YWw9IjE3MzgwODU5MiIgZG93bmxvYWRfdGltZV9tcz0iMjMyNTgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MjY5OTMyNTE5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODI5NzE1MjM4MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iODg3NzgxNzk4MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijk0MiIgZG93bmxvYWRfdGltZV9tcz0iMzIwMTAiIGRvd25sb2FkZWQ9IjE3MzgwODU5MiIgdG90YWw9IjE3MzgwODU5MiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTgwNTAiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4568
-
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868 -
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe" --app -channel production2⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:5008
-
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6224 -
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe" --app -channel production2⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:5144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2012 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffffe5a9758,0x7ffffe5a9768,0x7ffffe5a97782⤵PID:4740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:22⤵PID:2972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:2828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:4052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:12⤵PID:2312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:12⤵PID:5084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:12⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:6300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:5980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4904 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:12⤵PID:5892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:7092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2988 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:6944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3852 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:12⤵PID:3580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3780 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:6684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:1380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:4412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4948 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:12⤵PID:2220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:5640
-
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe" roblox-player:1+launchmode:play+gameinfo:QEjiwdcVD6U41xZH6mp8Valfbf9XZW0qYCi87K80PuMHIgd7ZzS7tghTjXpTY3qivwrTydHm-xyOte-oMGFfV5iCPmmcXGuWSq8aqajUEjQ6GwXAJompJPyT4feNgFs6ZMf3rAp-DW-fqNVPevGByoIqF2vPTlNO4GbjaencS6DkVXx2SOMLaUdu-QrOTWiYTDVJIspTJUSZM3uYijLz5PbYKBckfIZxGwwOpf7GXrI+launchtime:1716888252641+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1716888155232001%26placeId%3D4483381587%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3D3b750e62-eea6-4e0a-ad23-e163953107d9%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1716888155232001+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6980 -
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe" --app -t QEjiwdcVD6U41xZH6mp8Valfbf9XZW0qYCi87K80PuMHIgd7ZzS7tghTjXpTY3qivwrTydHm-xyOte-oMGFfV5iCPmmcXGuWSq8aqajUEjQ6GwXAJompJPyT4feNgFs6ZMf3rAp-DW-fqNVPevGByoIqF2vPTlNO4GbjaencS6DkVXx2SOMLaUdu-QrOTWiYTDVJIspTJUSZM3uYijLz5PbYKBckfIZxGwwOpf7GXrI --launchtime=1716888258243 -j https://www.roblox.com/Game/PlaceLauncher.ashx?request=RequestGame&browserTrackerId=1716888155232001&placeId=4483381587&isPlayTogetherGame=false&joinAttemptId=3b750e62-eea6-4e0a-ad23-e163953107d9&joinAttemptOrigin=PlayButton -b 1716888155232001 --rloc en_us --gloc en_us -channel production3⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:520
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4876 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:6188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:1556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:6228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5036 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:6476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5640 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:82⤵PID:3940
-
-
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
PID:6736 -
C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe" -app -isInstallerLaunch3⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of UnmapMainImage
PID:2920
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:22⤵PID:660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1808 --field-trial-handle=1848,i,14262641323488363531,4459381378953506220,131072 /prefetch:12⤵PID:1220
-
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe" roblox-player:1+launchmode:play+gameinfo:4F0MK9M-FbDDSbKW4RLC9cV91QmL3mficyDTJPW6GMmrtFRp2vxziiwTblbAyjp11PtNVNQEmMotkIIiDjMzjZ1JOl0shIIGHYfQPwaejkc1kATI70VznUqN1BcUHO0i3x43xhRRpTp1pwW641vz0uJBLfWGgGf5G7cmEbGiRtGtV6WYjNlT3XWDnF_XrpUKb_ojS0EEnRD3VRwWwEfIMwt7T2turdffY8xnwAnQmuE+launchtime:1716888252641+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1716888155232001%26placeId%3D4483381587%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3D3b750e62-eea6-4e0a-ad23-e163953107d9%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1716888155232001+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5392 -
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe" --app -t 4F0MK9M-FbDDSbKW4RLC9cV91QmL3mficyDTJPW6GMmrtFRp2vxziiwTblbAyjp11PtNVNQEmMotkIIiDjMzjZ1JOl0shIIGHYfQPwaejkc1kATI70VznUqN1BcUHO0i3x43xhRRpTp1pwW641vz0uJBLfWGgGf5G7cmEbGiRtGtV6WYjNlT3XWDnF_XrpUKb_ojS0EEnRD3VRwWwEfIMwt7T2turdffY8xnwAnQmuE --launchtime=1716888331500 -j https://www.roblox.com/Game/PlaceLauncher.ashx?request=RequestGame&browserTrackerId=1716888155232001&placeId=4483381587&isPlayTogetherGame=false&joinAttemptId=3b750e62-eea6-4e0a-ad23-e163953107d9&joinAttemptOrigin=PlayButton -b 1716888155232001 --rloc en_us --gloc en_us -channel production3⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of UnmapMainImage
PID:5932
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1152
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
PID:240
-
C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of UnmapMainImage
PID:6708
-
C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-0a57b2f24afe434b\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of UnmapMainImage
PID:5208
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:6700 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F1CAC58A-50DA-4937-8F87-6A911E2D2A47}\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F1CAC58A-50DA-4937-8F87-6A911E2D2A47}\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe" /update /sessionid "{939BDA70-EF2C-41E3-A262-305D0B9C7384}"2⤵
- Executes dropped EXE
PID:4320 -
C:\Program Files (x86)\Microsoft\Temp\EU3468.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU3468.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{939BDA70-EF2C-41E3-A262-305D0B9C7384}"3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks system information in the registry
PID:3156 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Modifies registry class
PID:6336
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:3708
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:4336
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:3804
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTM5QkRBNzAtRUYyQy00MUUzLUEyNjItMzA1RDBCOUM3Mzg0fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7ODYxMkY3N0QtMUY0RC00MjBBLTlCRDUtRTJFQzJCMDNCMEExfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IlFFTVUiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTcxLjM5IiBuZXh0dmVyc2lvbj0iMS4zLjE4Ny4zOSIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2MzU2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MTY4ODgwMzgiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNzk2OTA2MjgxIi8-PC9hcHA-PC9yZXF1ZXN0Pg4⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5924
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTM5QkRBNzAtRUYyQy00MUUzLUEyNjItMzA1RDBCOUM3Mzg0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4MkQ4RUYyMy04MTc1LTQ0NTktOUY5MC1FM0Y5ODMxNThEMUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIxLjMuMTg3LjM5IiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMjc0MDkyNDgwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMjc0MjQ4NjgzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNzA4MzgxNjY0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8yMjE2NjdkYy1iYjBhLTRhY2ItODMzZC01YTExZGM4OGE4YmY_UDE9MTcxNzQ5MzE3OCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1POVdWR1ZxJTJidDJ0SnoweTJLTHF0NnpuSE1ySkJsbkxya2VrMFZPMjUzM25OaVIxeHpjRyUyYnV2VTNLSlhQSGY2cUpZMHpOUzhLM1Z6dEVGdHg0YmdLdEElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNjIxMDQ4IiB0b3RhbD0iMTYyMTA0OCIgZG93bmxvYWRfdGltZV9tcz0iNDA2MzIiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE3MDg1MzgxMjgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE3MTQwOTU3MDMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByPSItMSIgcmQ9Ii0xIi8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEyNS4wLjI1MzUuNjciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjYzNTYiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9IntBNDhGMkI2My01MjQxLTQ2ODItQkU5OS00NzEzOUUzNzBDRUN9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffffe5a9758,0x7ffffe5a9768,0x7ffffe5a97782⤵PID:5872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:22⤵PID:6896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:6296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:5456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:12⤵PID:3808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:12⤵PID:5924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:12⤵PID:6252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4312 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:4336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:3284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4892 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:12⤵PID:5900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4388 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:12⤵PID:3764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:5244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5312 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:6956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:5364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:6564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4444 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:1192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:2180
-
-
C:\Users\Admin\Downloads\Sha Executor V2 (1).exe"C:\Users\Admin\Downloads\Sha Executor V2 (1).exe"2⤵
- Executes dropped EXE
PID:5540 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:1356
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5084 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:12⤵PID:2220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5528 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3640 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:6876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3636 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:2116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1868,i,8955150251260238874,4147463588794993678,131072 /prefetch:82⤵PID:3684
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:7052
-
C:\Users\Admin\Downloads\Sha Executor V2 (1).exe"C:\Users\Admin\Downloads\Sha Executor V2 (1).exe"1⤵
- Executes dropped EXE
PID:368 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵PID:6200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD529b339e3e245fe19790b392edb2126c5
SHA1af49e4c8710e6613a21806177db88d83bbe7b622
SHA25682cdd65130e0a4b05d50cbe08e26cbd62b283c658e39c96382f7e02365573f37
SHA5120301ab4e607e46d2c3344c7f3b24174ce5ea1cc9d042cdc0243c24f7b9d6e14dfca1c9c7d845c0005ba844ea972e639acd8aa46e16231af6e8d0c569f2a80152
-
Filesize
8KB
MD592d6a430b38de4af71f15cad4bc6ffe2
SHA1bf4301678ec76cb4d78386d9e5fc168a2781705b
SHA25670a5563c6f2930eb1a152b93abf92eda777eb296f1647234685fe2a2e99580b9
SHA512941e0b80a1edca579cde53d0c4f4cdadfd5821a7015a137084e0cbee562d4f63fa8f4037a00e7d066207eefab619a3451908081e02e3bba66fee71fec71e5df6
-
Filesize
9KB
MD5a138be5edf84c4770825b955f08c2c3c
SHA1dd5422363735a3a46f12252e1cb7e3883b0bb098
SHA2566504214cbb819da859a026ace1431d5e88b00324f84d65ca089e62556c670339
SHA5125eb2b3dc2b9e9c1d2caac3d658a95c28b2406819552a4b30696188b58f790471686b75ad2e31fd7f267869270a58e09a7738c8b864658676bf171d0f0917ac94
-
Filesize
86KB
MD5b662222567d7a992131b5f3b8005c413
SHA1de38ae64d7f669043425e48917d84b63fd7c1c38
SHA256c97ba1ce6f1b6b773cc399b45f05ca15624e8094d2bd440bec5c2ad745633408
SHA51265c38eb84fbae526cbf315a00c4bd2ec81aed4609128b4fa8b9cf378fae9539452c555f9c27d2b5510d4d1a85cc2664f1f4a8b58a1b690c1a07c8cf83ae9b760
-
Filesize
6.9MB
MD56aafb8c6ce355a80514a2f3abc13a9ad
SHA12db9a7dde9086dd415ee41b4b109a3311f088c8c
SHA256adbd1a10981cccd00918d924ec93a9d6f29d16190691f6984b199f9a42cc0cb6
SHA512c9f23c68b7385d8edfdbff7b80a6064ac8eb879384796e7f54b094155feb32a86836c4a910c323128a4a6b3b15b7fbe1a9b0b56153ff0e71c96dce7776b0f848
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.187.39\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
Filesize1.5MB
MD51f744e1c802560affe8b308640b6ab67
SHA1bbfecefdf891c11d573760d4dabdf86091463421
SHA256fa7d8a8cae60ab620d2aa887de62039d2647e4f5c1c649d75f0f52e14ec11a99
SHA512780440aa518397e52bb429b5a8e7697bf0096db0fe343cd40a541b60f34ad4976ef7fc2204737d296a8c1fbed2951496503dc50158d6455617c67483f87f3015
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
5.3MB
MD50469bb703f1233c733ba4e8cb45afda2
SHA1a07afd7ecf1d0b740b0e2eddfcde79dcf6e1767f
SHA25600314da401908da37ebfe9b642506cab81a4467c092719fcf007be045bc4a9e0
SHA512342c9629e705eb78c7bd52b3efe4a92b6a8bece9933956390450600635e4c0511ca96ccaa25e6920e9d25ccdf444dabfea7b09f8fbcba2f371655f87633b6d67
-
Filesize
280B
MD53bb2b262d7d8230e00cb34f6f5f5f84c
SHA14ac251bc03cd0e00cd0d33275ba500a6de2fbaed
SHA2568b549d827b6805f3ba7ab706371b4d65314cd691475168c15e468dd50cb314ab
SHA512849999c3bc3581a0ba6b44ae11f5b5efde374c248629a1846bc15d38b12c26fadfce6c9148272f1b2e9f3a89a780d91523906b9cad8d3671d3fec0ff1f734797
-
Filesize
9KB
MD531c5a77b3c57c8c2e82b9541b00bcd5a
SHA1153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA2567f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6
-
Filesize
78KB
MD5f77a4aecfaf4640d801eb6dcdfddc478
SHA17424710f255f6205ef559e4d7e281a3b701183bb
SHA256d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA5121b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b
-
Filesize
15KB
MD5c7a05080e711990b59c6e4bec592e5e2
SHA13b0194ae35bee844f32d3901da57737cc51e9587
SHA256bd63c3bc7458dd48975354cf826f11d68d25ca2626c17d1e711fa916e4200310
SHA5127a9f2e44ff083faaba8d90c4363de5b9a27a69f95173918bdc50cdd4026c4b904d094da10c04b98ee64971f9507533689be0fb5b8a7671f5b47060016394abeb
-
Filesize
120B
MD5636492f4af87f25c20bd34a731007d86
SHA122a5c237a739ab0df4ff87c9e3d79dbe0c89b56a
SHA25622a1e85723295eeb854345be57f7d6fb56f02b232a95d69405bf9d9e67a0fa0d
SHA512cd2e3a738f535eb1a119bd4c319555899bcd4ce1049d7f8591a1a68c26844f33c1bd1e171706533b5c36263ade5e275b55d40f5710e0210e010925969182cd0c
-
Filesize
694B
MD5122f81104717f419f3f9f006e9c1b70e
SHA1b762977764e8c2097f2ee49ea11003f2a273ed2d
SHA256cc63eab2a85081e1be6bd036867340197e00b5908cf564ed813117557888aad6
SHA512004a6888562bff5061ccf2bb4bdb90b3fa42e72972859cfdba1df529275701a018f68be587fb47c02c2f93a4ef6a0846cf7c90a006e7f57495f5f4c87d90fa45
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaApp\graphic\shimmer_lightTheme.png
Filesize20KB
MD54f8f43c5d5c2895640ed4fdca39737d5
SHA1fb46095bdfcab74d61e1171632c25f783ef495fa
SHA256fc57f32c26087eef61b37850d60934eda1100ca8773f08e487191a74766053d1
SHA5127aebc0f79b2b23a76fb41df8bab4411813ffb1abc5e2797810679c0eaa690e7af7561b8473405694bd967470be337417fa42e30f0318acbf171d8f31620a31aa
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaApp\graphic\[email protected]
Filesize71KB
MD53fec0191b36b9d9448a73ff1a937a1f7
SHA1bee7d28204245e3088689ac08da18b43eae531ba
SHA2561a03e6f6a0de045aa588544c392d671c040b82a5598b4246af04f5a74910dc89
SHA512a8ab2bc2d937963af36d3255c6ea09cae6ab1599996450004bb18e8b8bdfbdde728821ac1662d8a0466680679011d8f366577b143766838fe91edf08a40353ce
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\ExtraContent\textures\ui\LuaDiscussions\buttonFill.png
Filesize247B
MD581ce54dfd6605840a1bd2f9b0b3f807d
SHA14a3a4c05b9c14c305a8bb06c768abc4958ba2f1c
SHA2560a6a5cafb4dee0d8c1d182ddec9f68ca0471d7fc820cf8dc2d68f27a35cd3386
SHA51257069c8ac03dd0fdfd97e2844c19138800ff6f7d508c26e5bc400b30fe78baa0991cc39f0f86fa10cd5d12b6b11b0b09c1a770e5cb2fdca157c2c8986a09e5ff
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\configs\DateTimeLocaleConfigs\zh-hans.json
Filesize2KB
MD5fb6605abd624d1923aef5f2122b5ae58
SHA16e98c0a31fa39c781df33628b55568e095be7d71
SHA2567b993133d329c46c0c437d985eead54432944d7b46db6ad6ea755505b8629d00
SHA51297a14eda2010033265b379aa5553359293baf4988a4cdde8a40b0315e318a7b30feee7f5e14c68131e85610c00585d0c67e636999e3af9b5b2209e1a27a82223
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\configs\DateTimeLocaleConfigs\zh-tw.json
Filesize2KB
MD5702c9879f2289959ceaa91d3045f28aa
SHA1775072f139acc8eafb219af355f60b2f57094276
SHA256a92a6988175f9c1d073e4b54bf6a31f9b5d3652eebdf6a351fb5e12bda76cbd5
SHA512815a6bef134c0db7a5926f0cf4b3f7702d71b0b2f13eca9539cd2fc5a61eea81b1884e4c4bc0b3398880589bff809ac8d5df833e7e4aeda4a1244e9a875d1e97
-
Filesize
6KB
MD59404c52d6f311da02d65d4320bfebb59
SHA10b5b5c2e7c631894953d5828fec06bdf6adba55f
SHA256c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317
SHA51222aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\Cursors\KeyboardMouse\IBeamCursor.png
Filesize292B
MD5464c4983fa06ad6cf235ec6793de5f83
SHA18afeb666c8aee7290ab587a2bfb29fc3551669e8
SHA25699fd7f104948c6ab002d1ec69ffd6c896c91f9accc499588df0980b4346ecbed
SHA512f805f5f38535fe487b899486c8de6cf630114964e2c3ebc2af7152a82c6f6faef681b4d936a1867b5dff6566b688b5c01105074443cc2086b3fe71f7e6e404b1
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\StudioToolbox\Clear.png
Filesize538B
MD5fa8eaf9266c707e151bb20281b3c0988
SHA13ca097ad4cd097745d33d386cc2d626ece8cb969
SHA2568cf08bf7e50fea7b38f59f162ed956346c55a714ed8a9a8b0a1ada7e18480bc2
SHA512e29274300eab297c6de895bb39170f73f0a4ffa2a8c3732caeeeac16e2c25fb58bb401fdd5823cc62d9c413ec6c43d7c46861d7e14d52f8d9d8ff632e29f167c
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\StudioUIEditor\valueBoxRoundedRectangle.png
Filesize130B
MD5521fb651c83453bf42d7432896040e5e
SHA18fdbf2cc2617b5b58aaa91b94b0bf755d951cad9
SHA256630303ec4701779eaf86cc9fbf744b625becda53badc7271cbb6ddc56e638d70
SHA5128fa0a50e52a3c7c53735c7dd7af275ebc9c1843f55bb30ebe0587a85955a8da94ff993822d233f7ed118b1070a7d67718b55ba4a597dc49ed2bf2a3836c696f6
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\TerrainTools\checkbox_square.png
Filesize985B
MD52cb16991a26dc803f43963bdc7571e3f
SHA112ad66a51b60eeaed199bc521800f7c763a3bc7b
SHA256c7bae6d856f3bd9f00c122522eb3534d0d198a9473b6a379a5c3458181870646
SHA5124c9467e5e2d83b778d0fb8b6fd97964f8d8126f07bfd50c5d68c256703f291ceaed56be057e8e2c591b2d2c49f6b7e099a2b7088d0bf5bdd901433459663b1f8
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\XboxController\Thumbstick1.png
Filesize641B
MD52cbe38df9a03133ddf11a940c09b49cd
SHA16fb5c191ed8ce9495c66b90aaf53662bfe199846
SHA2560835a661199a7d8df7249e8ae925987184efcc4fb85d9efac3cc2c1495020517
SHA512dcef5baccef9fff632456fe7bc3c4f4a403363d9103a8047a55f4bd4c413d0c5f751a2e37385fe9eba7a420dbdb77ca2ff883d47fcdd35af222191cc5bd5c7a9
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\XboxController\[email protected]
Filesize1KB
MD5e8c88cf5c5ef7ae5ddee2d0e8376b32f
SHA177f2a5b11436d247d1acc3bac8edffc99c496839
SHA2569607af14604a8e8eb1dec45d3eeca01fed33140c0ccc3e6ef8ca4a1f6219b5dd
SHA51232f5a1e907705346a56fbddfe0d8841d05415ff7abe28ae9281ba46fedf8270b982be0090b72e2e32de0ce36e21934f80eaf508fd010f7ab132d39f5305fb68f
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\XboxController\[email protected]
Filesize1KB
MD5499333dae156bb4c9e9309a4842be4c8
SHA1d18c4c36bdb297208589dc93715560acaf761c3a
SHA256d35a74469f1436f114c27c730a5ec0793073bcf098db37f10158d562a3174591
SHA51291c64173d2cdabc045c70e0538d45e1022cc74ec04989565b85f0f26fe3e788b700a0956a07a8c91d34c06fc1b7fad43bbdbb41b0c6f15b9881c3e46def8103e
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\XboxController\Thumbstick2.png
Filesize738B
MD5a402aacac8be906bcc07d50669d32061
SHA19d75c1afbe9fc482983978cae4c553aa32625640
SHA25662a313b6cc9ffe7dd86bc9c4fcd7b8e8d1f14a15cdf41a53fb69af4ae3416102
SHA512d11567bcaad8bbd9e2b9f497c3215102c7e7546caf425e93791502d3d2b3f78dec13609796fcd6e1e7f5c7d794bac074d00a74001e7fe943d63463b483877546
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\XboxController\[email protected]
Filesize1KB
MD583e9b7823c0a5c4c67a603a734233dec
SHA12eaf04ad636bf71afdf73b004d17d366ac6d333e
SHA2563b5e06eb1a89975def847101f700f0caa60fe0198f53e51974ef1608c6e1e067
SHA512e8abb39a1ec340ac5c7d63137f607cd09eae0e885e4f73b84d8adad1b8f574155b92fbf2c9d3013f64ebbb6d55ead5419e7546b0f70dcde976d49e7440743b0f
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-0a57b2f24afe434b\content\textures\ui\Controls\XboxController\[email protected]
Filesize1KB
MD555b64987636b9740ab1de7debd1f0b2f
SHA196f67222ce7d7748ec968e95a2f6495860f9d9c9
SHA256f4a6bb3347ee3e603ea0b2f009bfa802103bc434ae3ff1db1f2043fa8cace8fc
SHA51273a88a278747de3fefbaabb3ff90c1c0750c8d6c17746787f17061f4eff933620407336bf9b755f4222b0943b07d8c4d01de1815d42ea65e78e0daa7072591e9
-
Filesize
40B
MD52d9f034fe011a3626c641622da4e1fe2
SHA1e79ffce5333c61d94a36ccaf9cf1a72e03268656
SHA25634b2d6b896be4a5c8771e65da5d9342ef5f69880e9948b6a9522c06ca50efc00
SHA512703dae4d2a4f7ece62ef72c964d232b229964ca84638c916804a983bab85c5da30a2af269359261c3044a56e362341f442e0137eeef6f82ddb4fc97b358fd580
-
Filesize
51KB
MD5588ee33c26fe83cb97ca65e3c66b2e87
SHA1842429b803132c3e7827af42fe4dc7a66e736b37
SHA256bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760
SHA5126f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04
-
Filesize
7KB
MD50e82a7d8d5d9442a0005c422e39faefe
SHA10a4d7b807766cbf257190152a66adfbb65d6f586
SHA256f77bd2481eddabd28f2e6495be77ed3d2476c2b79b8939be0aa93f113b17207b
SHA5123e8793d9ee8135af6d9027242979754b299ff19643f3a0ec8d98e25e36a87d2bfb01cb2083665e8b973e6f26ed3fe33dbf67dad7fe3b5748d66cac31769e6fe6
-
Filesize
7KB
MD52a2bcfe3d676d118fb9a3a7388e136f3
SHA1960914f5dab2d74805af85fe33d202882c69b871
SHA256ee2b08806ca60c5b153fb8c336e07eda34caf8b9663c9b892dbb640e5adbebe9
SHA51238be1832410e7e9a581264295eb19c39cc8f5847f2e2787c68b07cdb54139475309505455d5969fd425add302482d4fec775319797f4a08bd0d51f9868c8f066
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3d64fff8-15cd-4939-8d67-c828cab13579.tmp
Filesize5KB
MD5d88ba8e82a63f31382d0b001db79a5df
SHA12359d16216087ed5a1d1bbdc32ec2cac0f8c7f6f
SHA256c2b9bc4b7f1190af0acec71030f1cb40d8dfc71f59a3e270abc568213d4a4ccf
SHA512d6e0f3ba89f153d30d6a6ffeeb948b784f6fa8ee54b00201469a3d680379de14075d31cee3f4ab65e214fa0a9df8830c427b48a17cefd7f284e7b51226ee78db
-
Filesize
8KB
MD5f1d8d962f546928a608b9765c9edd062
SHA1a3bb4169d2e91d3dbde0ee7293ca11243ed853d6
SHA256213ed53f35b28ae8749047453a2824b55a0b3428463982245289f81f0d2176b9
SHA512c0a3293d7a2490734de5a72d1c139609124edb09472360eb54cad5c5a46ef86e7bbcf449e82c6a6593117c5287a990f5b7e1defd99df2f5d4ed75f6d0dfdda7b
-
Filesize
9KB
MD52411a7dc8905a7957b65120b046d1e4d
SHA19f6da56cc915799ecc53cf60870324c61ab7499a
SHA25620f7b5254657acd768ca8519aa19c8fc709b51d5b1d092d1f1a1ab16e9dc9d0d
SHA5124046f4937f0f29b4b06b83343c4b7c5037499ce8f645dca6c202eb13485d41a47688463786f3f1d9b224371b126eece86078b023cb399e2859db0a161a3f9f55
-
Filesize
4KB
MD5d1c655a8f8eec2086d0d77bac776467a
SHA114881daa4cd4a4c8de744811d856751eab901b6f
SHA256c6feaa0af0c4031551d775506c9263b4cf5df1990e6da7411ab0d1660c926380
SHA5127b4ea5b5be06237210c7f1edb0b1d4e4096b0407cfec3a1fc435b4e068de23c7a887569d070b182901d813bdb45116e3afac40f6a9415e0b60d7a5a393ff386c
-
Filesize
9KB
MD58152fe452efe6434729b7151b1219bc3
SHA1efb8461edaf566cefbb86ee300b83933796d2245
SHA2560857ec37a07ca6afc96e5dfe41d67cc84d9660e908b3f9d943fd06a903d07bc4
SHA5129e9cb0ad725ef18febf0fd5557f0a3afa9f76be7986c6dc158967a385e1b3ef93a478c656f1be55d389aa70a996b654a160c6f0bd15d8beceb0eb6cc4a66ccc4
-
Filesize
2KB
MD5c4f1eec6c9bf1280d4e2fde6700380c4
SHA1a69e46fd87d78ed5498990baa8c9d49f25150a89
SHA2569bbbc6d8e7ece91786c99c0b52c4112536651e85d513fa53488be1f074f42600
SHA512d040d079047cbb1191f4ca4cdd0a56b4019288e67978a6f819fe9abeb53bf17e528d611a2053234806f55ae2207d10c787b3e8f00bd1d395243504f93bf4cf66
-
Filesize
2KB
MD5e195550048f856147f62fa4c0b840c4c
SHA1bde5cf653401f0f49b906983d6916ff5fbebfd1c
SHA2568558162018dc906ca6dcb470f5c68703e386ca31cca61d584bf943f59b78810c
SHA51245097e6749bf00e86a9eabc15f87942f662d82fa228786dc9d055a4d0c09c3baaf9f809af498759059567fe5039fd617b383e99f8d07d6e7f16b1e911217db83
-
Filesize
2KB
MD531d482c60a421c665649faa94b2fc87d
SHA126c9dfc7a0514449ff8ffa95bb2490cc48c687eb
SHA256ff6100715384d30b2679812d1ea36b2239bd6a06dcdaba3b424e725da9809c2e
SHA51294c2c4e9d4419020967976eace0e2b7921dafe5de10f4d71a493dfa4253079788c02449a701ecff9de860e5f368973baa2bcccee870db7c43773ab40616e4dfe
-
Filesize
5KB
MD53ad78860a1e9e0fd0f7bcda5474eacd8
SHA1c2ea48966013dfc407de156e02653e74892da31d
SHA2564f49e8518b7d4056c8ab7131c7f4653068b3c1bb722768f4beb1f14fa7a91e81
SHA512e10d6373226c020a7cc9e6e839409c86d426c7be92648ef278dbfc08c4ba8555aa49848079c2936d19982aea476f3d6797c9ce69081f8c68910d8e78e378acce
-
Filesize
3KB
MD5e28ec4fe2d509f3cc850621a9adf97c9
SHA1c62b44e7a08b7b777da3c7cc3568fa08c82e0e99
SHA256af1a0ffe97825c8bc5bcffd928ce77377fea6e4a5ca1f41ab5f032af69aa2ddf
SHA512ea9b46ef6a3a6bb47594f5c64a5864251456596a48774997fb37a87bc5b09fb7c48256914ba965c6408ec4f639c8c8fc4292944a42003aeefc509fffb7092195
-
Filesize
3KB
MD521fe4ac0b77399023bd3ee1900798aeb
SHA1112d9fa5a5dd70ee481424d9d62a80b77ddfb27a
SHA256f92075e12bf6eaf7ce28cf610308eb186c35c5f7d47ac0fb0358e7bb70db5be6
SHA512182e421bfad4b2fb26d614628ff5a1adf65fa046c6babdcac175df722514ac86834eb10cc4227702a59bee9a2a541414813c3cc1b4411b9b29ea4afb60b8c1ce
-
Filesize
5KB
MD580f426e28767493fc1243cbd837f51e9
SHA11319faebc95ba0a3effd875352983a797de545bc
SHA2560dfb80871bf2c5c4d9c0db6ca2c1152e3556168f2a05c85d1ed37785b851dacf
SHA512a4d273e17ea6b1bdf0fd48c218a3f862b575a3a5496a21045fdb666356414b5669f2bd5df9cc41f3b3931a830f66c1c0b1be9c2feb3bcdd18f3d29b2fe07695b
-
Filesize
5KB
MD5ca00362c3e964f9a7f644094e44b3b0d
SHA18e77cacd6294b77bfea3be12b0c9bea2ebea5b3c
SHA2565288581ecceff136db3d64ecafce45fa8d9a545846d1fea47daee443b61fe6c6
SHA5120abbc1d7a2dd30376452e81f4ddb55deb956ca5ebe8a26d16c8db0eca7cc6fabf5aeef0d4b889e143540b3f13a1a5d5e9e7307d6f86e0834664c3aaf8192deea
-
Filesize
3KB
MD5be8196f4773e83c3631a804c4a689727
SHA157dfadb48206826db1f0c0f12d72decd9f348ceb
SHA25663be0dfeaf2148e55b2739b645bd5e01ee8c3fb51cd282d16e2eab5ca5f1adab
SHA5121b1d5537a2668dc84b2c1c5dc575005782a6f1e39746885720b464849be5c4568aa28512f1ba3d6f1132f908a116cdae2959270dadf1ab2da4522351ac5b53bd
-
Filesize
5KB
MD5d12632f72c1b18797ee66cb9057719ac
SHA12ed93b59ee756870fa93f327537676d7b813e76e
SHA25652be16d5dfc801a8aa2c93dad95a3e8280423d7e46ece24880e90e5495cbe4b2
SHA512807be2a828fb38683bd39a2cb9f120057a4b887f70f069ac49fa490708b51053f602462d9f318a8e6522e9d09a34cefac0d1383402fd848b71c7745ed23f101c
-
Filesize
5KB
MD51041476549eefc3b54ba4ac4972234e4
SHA16108aa7301f0815b73d11079b9e1492c76b3b967
SHA256bd85a9c08435678f0f43dbe9f4d9d75a0907ef61971307803d039d9b56dbc353
SHA5124517d4dfeb58cb7d398989bfbd08fcaca5ea8065cedd62cd8c904de344d0ddfa0b611f46f2e8399b360f06cba855e9d050ef11d8c1ca15d247373899c861766b
-
Filesize
5KB
MD5739dcc5387247374e6f6bf8d8f95eb7e
SHA150fc5fd88e4f8823ad1e96d08606214e46314272
SHA25635b564013478d9ab2e3bc84b768eeb7c84874d754f77ee2da2193e5771cc978a
SHA512821b4363e485274447c210f114d99f5645fd2951a5a4a5e0017f13f9b7bef837bae3943e3976a9c38402e9e794c7d2fb34af4d71d6ec9e93a3504f0eb334641c
-
Filesize
5KB
MD5c0509be2dd70d58bb7eda37fcebf8624
SHA134df9440adf6028ed35a33674f377572348763bf
SHA2569914c0d8a714fad76d28ca704da8f7009d10df2cb5cb90b43c6941a6923e528c
SHA512b7c40510c5fd061d084d02939a37f2ee6d36c6c8d131dcbc8031e643eb8e2f6b56734e796c01a261c58342bd28b119fbafee574964a38046f50d4bbacfca93e1
-
Filesize
5KB
MD5b2715533404f4181aef808ab4b78a9c7
SHA1a71e048cd8d18ce3c30d1befd471f87065a8b2ca
SHA2561e4c7f5bfcb1899b33e335a096a42430620e97d36e407af4312c24c3aeef7270
SHA51204028b152ae441c02ba32a7dc696a98fc27b2e46818c2d2df3ed7433f9759333523c3f9e1339f517645c4405a5c9533aaaa03d962db7e05339c884d9efd2d578
-
Filesize
5KB
MD5322c6190152440ee79bc953ade63dcc9
SHA1c0298110e7c45484fd308eb0c0acc2d4ff40eeef
SHA256e41895a05721f84b09f1c7744df8fdeaacfb13f53afba4eb3c7e0dbe806b6fbf
SHA512797ce1106e0dbb262a1355ae157321f080d186ec8ccd12ac17a68e0ec4c4eb6a640495998980b816632515b83be4261615eb3aeb538f7e7e717d6ead3109156e
-
Filesize
5KB
MD5ec6a053bed1f9ec85a36e5aff18e8712
SHA14589c7d01a802ae2eb80ac0e47ed8b0cc6e4b332
SHA25640af488e4ee56acac85b54998ee9d5feb911be93836eced521e50af450e49cbf
SHA512b99109e3920c8408a714fa811f7b9631e836a325550f228b15b30bb5a168675ae3652f6eaebbcf8d41358248dc6a328d3b1e61266f0e6e3ba7ae7de642af799c
-
Filesize
5KB
MD5812e596f084620fbe67a6b575a0d372e
SHA1d5185cfdfde37d26c98d7441d9acda33d327f033
SHA2567075fd49661566c47497ef277d754ad400b641a332a40b9358cba18047cdb2ed
SHA5129d4ad8f8da46566c12c5ac6cd15be7a2bc0cc65da4c6bb72477f93d37b99160aae28e952595784b5e54ef93e7d31cfc4073ac2f7440faef4061f5e78a1685f51
-
Filesize
1KB
MD53ded76bacdd2b2f578da2617de88739c
SHA1ffffb32c4df757064a2f7bc80e85462d5cc32bb9
SHA2563f55442c9b90ae7ed8aabf301e80bfdf8eddef251c5bea3d54494bdde13bc1b8
SHA51256c3f88fb2eb53176f03729cd3299bed2a2510777912fcf5618f22e2b158b1b8ea6c763b7c94a9b42fecc52c41e7208770389e6573341d33ddc7e80431c174e2
-
Filesize
1KB
MD596d88f7be985e1256e3b7d06267a096b
SHA121bc2dbb32d0fc5fd912f8c97f1449e999d94714
SHA25689a391adbb30d9de4e639eeb93fcadccc1d303bc797a81f810791a8abb3b01e5
SHA5122aa2f0fc52152b87ede4649bc4eb202f4878bffa05b69092dd73e62aebaf63e384d6e33645b2f07cd23c82a2e766c8c641dcc01808a000b1d47c83ee9a12bbae
-
Filesize
1KB
MD55e337a15d35bebc733081bf1537e87c5
SHA14aa25316fb7d867d6bece9c65141aa666dd00ed6
SHA256c35cf2de3f1c90151024f3230f827a30c81e7b15a218d15d6bfdf626a5740bce
SHA512484f59a1702730533f1649ab8b1839c8772e692372ce025a1b909282de688f9208631790a6aab8e66ac1105535e292de3bec06ce5082b0005838d6b0fdbd44fe
-
Filesize
8KB
MD5cd3dfb23567b044dab3e76e10db80b95
SHA1305027f27ae60c4b65784f6df7700bb9761595cb
SHA256c2b225df1d5fa3ba3eefa2ebf8bad59c5f94d35ab30239c2c25980d81f73535a
SHA512ae01ab446336aaeaa4834850975c35e8100bb823a02eba07f1690060ce985302a992921d9866097208511dbb5b1aa18397102942cc3c1adf6f7c659381c829b9
-
Filesize
8KB
MD5577ee62008e0bdbdee00f0f8390755cc
SHA15c21a9565418c38eb34921dcb790bd688de5ef60
SHA2568c5e1b81b342791923ba020bd28e4069a6f97ea281a4232104ca4aa6fc43afe5
SHA512622f65a6f1fa7a15580a32326e35a0e55f40f151a9310e00f18742d5a5804dcaf096965e3165b2b41c6017a49d42d38584213d8e2a4b4912ad54fb41b7a7ddbd
-
Filesize
8KB
MD5c19d3a3dbdfd1558b148154a3fd8cebf
SHA1cfdd0dfe61128846cdb841b28fbd3a7ba8b23fad
SHA256bef7ab25bcf13fdf0df5a317330da4aa02e7a7dc2a83793094c9121fa80b09b1
SHA5123bf6affc4f89776054498b725040c21e0a31a3bf1f48f7da575766fbe79d2ad3ecef3d6433d876b67acb03152331bc729a5eee63baf67231c60fbd6e59a82eee
-
Filesize
8KB
MD5d2eb6d4e33e7a0bac0878bb77cc3b199
SHA10331eda15963c54b174335ef58548d8147d0391b
SHA2561ffe6138fed4badf26ef55210be33304d2f34e46d2190125ec4f089ac047c5ed
SHA512e61d065767ed73a4a5754035b9584d10c10af0e0b633b5309b795bfa586f4691caf92385422b7de323e2fffb5185bf778abf235760582694894bd0646ef088ce
-
Filesize
7KB
MD53010124b75fe73397e28b58fcbdea997
SHA1b603a6556a2bd86d4e3275c2f4ce45005c079ba3
SHA256b77a981636b7d8b9a472183cee9ebc046dab8ad1baf0f2033c0da76ae22adbef
SHA512a08b4fa121801b4a29f9fce6056f36d5b3161cbffc0a4e95ccfcb05db8c037a48af11b6206c5c4d26361bf241735c34dc448a6f9d43668e724e7fb82ed23f37c
-
Filesize
8KB
MD53a7e8ee9b26ce4ec556738a6e9578676
SHA12787bd8283a67eae22a9362de9889e536e56533e
SHA256cf66ebc725f2c0488c165837b4734dcd7f658153ca5af4c483d7302bd02cd6a8
SHA512c88852ce509936421469dd3a5d4a40a4e4d49ad7db99adadbb7cab03cc1accc40ee77becc244fee1bc79abdd5fc671c662e887201da1e123ac828fa667094815
-
Filesize
8KB
MD513cfdd0c62201a72e0a0e4d276395580
SHA11d21063e194c5f44f3d691d4fc8b6a2a0754bc95
SHA2562b7ad96a54822a58b2e8f4c9fdc2e3f6b654f4de64b3ce0599fb029278c823b7
SHA51216e39a1641e906a667a2c687f43657414d83ba16a2c92d119e73b54e960b5cdd9d3eb03b46f3c3f91f4674fc65b67491725c68c96d97960c0f284eb134492b81
-
Filesize
144KB
MD501e4e53a216a5d91c2f45310dc5cc766
SHA1d3c26bb7236d886db4454f51d6b4378623547e35
SHA256399b1dd1bad44ed406bc0cb61cdd5c0a9d8f2d48ef926ced64ac9bc299e6031f
SHA5122fdc35741c9908f920462d01cb36e0a2c43087147bd7eb77e6802cd359d31b779c1e5184ba25ba1e3ea31198b4896d775e4d0b7e0c7f3c3df387481d3d05c8c9
-
Filesize
144KB
MD5aeafe33e47780074e24c58fbcbf0326d
SHA16a6e79cd457eba28f82893fb71492d2c508186a7
SHA2564dd3c62b655b6410a662326a0673d0eb91ef851496deb8b3700f84e2fac816b8
SHA512193f730fc10a33b666424e92569d207a5b35c52ff27a0701014ad903be90252ef88c50f403b013a68da1add97cdf3e237899e44d66767fb088e9905224b7c713
-
Filesize
144KB
MD54c0f675aaaa105a3431a79e32b04d2c2
SHA1a2c69257edc9316c813f1dc0899d5eb09b2950de
SHA2566d56075ed2149ac9d71eff8177c90fe530a111bc27957ae5e9521ca3b17af914
SHA51238e44dbfa49a3ee36effe9468abdf5536aeccf118bfd115b51895c85e9df2efc31ce42d6572524364af0f19281a8867d090173ef72ce6c65dc4dac86cdb6b22d
-
Filesize
144KB
MD5835c51792647c72088aefcaa9cc69e43
SHA1e31cdf5163f6947c6a2301f63b170c3bc9df0e38
SHA256415c1d434f1feea5eba8d974ab991980b9c34fab304f8730d021f08419d41a04
SHA51230545b536d2552f250d2dee8e77c2ff7946c05ebebb36d648b1fb7f261b044a898143d9131174147068086cd18ab6504a817da068c4ab79766de3b0f8b2fd41f
-
Filesize
108KB
MD516671788ae41b4f80760256098a8af8a
SHA107091dd4c12b3e1f0ee160c3bc72eafb47014de6
SHA25637dc450894707d406f16b10e08f149aa09ce7718f10982a35393a20d4d68309b
SHA512a1c7673f2224f1cdf9d68f892ad691145b08b180d094274c2d7fa0d99b4239e2644f643a79ce519a459ebcd3e63b10783620880e18372045c4b17302a7727f0a
-
Filesize
110KB
MD503c9e607a7e78082f6b867df55d02232
SHA1e9e4946ae49a628705e80d14b45bace48d11cac0
SHA256d01e93e1128071add11ced05a2aa9822c2dcd44751e733f83aff710d87bb27d5
SHA5121fe39028834df15395a3adbc9ee70a71dbee23ce26ee99328ddb5a5c3b6ec1b785f8ad0090a362832a9517590f9b6fabf9a3763527f6f256335dfc380d42c1e5
-
Filesize
113KB
MD50ef88919cea135554526ed8d591ee6bf
SHA13d0762b96bb9f32371d4896ce70384e8cc6bf0bc
SHA25632048017c010c0c78df770251a0814263c634b4f4c25ac12a9aa36701795a18c
SHA51232deb1eedc61411c38bf0a5e511c1cf4c97965a5c0a9caaf626d2f213fed05171be580a25c93f9f7b664cad3589a0e9c2ef014e0bb448cbb6938f0339ffaf1a7
-
Filesize
264KB
MD5d7e4297620eefb00d12e6296278f72ee
SHA140cb78d33a6e72eaa841916bf622fc2e73594016
SHA256944707f924f80e21b33b6d873c46cc0bbbc3bd9bb40cb79bc78102e56a756fad
SHA512cf1b82de8c1f808e0bdff433e65386d9d0613296ff301a9510badeb7cf4a74c45f03dfb06f61a5984b130ae3938fe3082c36cdb2726e70e86653b5b6cdcd491f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\1BD06364B17F941101FCC95275213BEB65016BDA
Filesize60KB
MD5191c5c62d2d3d36ab97ca5d9e3f3425c
SHA17a672f0b5cbc9d6c543737a89b82a3b48a1b8441
SHA2560013c6ec8e2c26236824fc7f81f6abd1ab2883a1b59f1e7149f09f12aa509d05
SHA512045dd9720914d219ef399f956451016a18056c510603a253fc8fb4ea84bbb3c8ef412a1df8c93233c43280ae257a88565a60794c49fcc740b3f2e1c3ee4b6471
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\3U060U1S\dotnet.microsoft[1].xml
Filesize13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\3U060U1S\dotnet.microsoft[1].xml
Filesize84B
MD5effbfbc6cbc80990035d95c437f74880
SHA11a5f3cac8a59f8eb4ea09d15b7f565cacba182fb
SHA256c5ecdd87ceee893d819e905fa5896eb48e817fac0d02562c40930dd4481f9ec3
SHA51264d0a7fd8ee65b057e1e4442fa9836c8081edc69e71a222dd41e6d9e1caf3098e688daa1d2af266de31de9d1f04c9d4ff65fe4b72ac81b406dce9eafe76d0f78
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XT96ABW6\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize512KB
MD5e62999f555fe3ff88c7fa49d5258eef1
SHA1f2b5f1156ae9a402c451f95fb2dafbc1860ff190
SHA256826b0dc18afe815c4f42c4d58be3672b5002628e9bbc4bc37917858f78bd1bf9
SHA51286561d5a14c21dcfab86c5e3310201ba79bff080458ec08125f4f22320a091bd24f3aa6135dca27ec731f627030a783495183be1264aefdc0206b3ecbae144c0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize8KB
MD5bc254bc06b3f104cfda0b658c1daec32
SHA18239f8ffc721ddd268226b7747efe7538543fdae
SHA2563684ad72ba269ff0df3a2dae8064e90a67152024abd3923cf6bc93d0dbf8b0e0
SHA512dd6ec3383239569dd2b48cb75afd999c728bcf10505d633fccfa4b30240099b91afec79be10a699542fc6277e62a7e5c701a3edd53a146001d733139da6581ed
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF40E218F3DA3E3FFA.TMP
Filesize16KB
MD5e8c986538b90925a3273429100978c5b
SHA14e785c98f8f4adfc4468a03b510944c6ffbc3a69
SHA25642c52fa61f9fb7e85868d76044182f5ca8dc7c45cb1949f557a64d78398483e2
SHA5121671ecdf8b05303af94b4413ab80f02a788f1cba370a48e97ed11ba7af26eec5b417a08c5b03a0bfefe29bdb82a4038682205d4bcda69c56a7158ee4740786f6
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UQZ8KLN5\windowsdesktop-runtime-6.0.30-win-x64[1].exe
Filesize1.6MB
MD576443c56f7b2b3dda085581c479193cd
SHA163bbbfc808bcc291d587aa180f5b2b2a99e63ae9
SHA256e4a9764e7b8110dba5a993344376793c7f35ffe9f0303e07b39f62d284000b35
SHA51278f368508af01ef593f2dd1e1fb7b75ab6a489fe8ae70c8545b71b82acc6fcbe11a86f9ebeb444f3032d521cbe8ca4c7c32bf16cacffc12a95b3a486c06c5b97
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize512KB
MD51e6cd117d9b95b7c90077795286440fc
SHA1763621cc7ffdb1d31b1616dfba2ca607ff777b68
SHA256bffd707c9f41f77459397c5a8ac6a4de4c89ecff39fdbc932b92d631d19fe62c
SHA5120e321ab3bbd602ef0b8ebb5577c335d47d6c3766387c3ad8f3d8e624ff63fb129c670a9b98b0abe986dbb4a842441b15ed1eeda33e84fde3827c3afd8145ca02
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize8KB
MD5fa424fcc4f0206e063f96637236fb7ea
SHA170cb24a81d05b05abac9e796717fe3ffe9469cf7
SHA2563e89855eb3eae573f2a449dfe319fde157b3872630be1909d5f9221963d5a52e
SHA5126bcce701af4920d6f484019bb5da208c1ecec4409bbb8c758a7e19767b752a57ac987d66fc69136d8ff0557f1f6048d71a97c61ec5a4ad57d416ddbadbb40c7b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
Filesize2.0MB
MD5c66a08eb5556580b4141d1ee03497384
SHA1b218df1e6d2dc51682fd531331366128e7f26f6f
SHA256594d4cdc54f9dd1afd7fb0724bec41f4c86dbfd9639b3e2ee9cad8e25cdd7cf4
SHA512f0cb53e3057025317344b033684fbcd364282cd57272a5388d402ca89d55591d8963df06ccf9c28c6a4accbba2f48ca26327043ec737f4f067ce9e6fab6a9f1f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
Filesize16KB
MD52be3743527d5942c0d011aad3931962d
SHA1f64685e4fed458dc4234acd4abc1cb704988a959
SHA25642a77fd28a0bac1e94d9a10716955a42defa5f2c3eb348c0791a8efc56663b76
SHA51277b33eee9d57a25fde0327da30a8fe917f369ee8ba0a53edbad461814fe80c9a93c0d9bfd02f215785fc31a687eb9a84a6ee767d2234788613eb372ac5b5abb2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{C8136E95-C208-4983-8D30-1ED0C4EBEDBE}.dat
Filesize5KB
MD55153790a86034f0eb8aa7ff4a9d689f1
SHA1aaba8fb6d2f0518436922a9ea17a278ee427d78a
SHA25660738b172ad709882fee8cfb481bd7580b47efc43908dd3a0f1177bf84a00f13
SHA5127c6de35f5966edaac16c8329eed325720f9a659186db36171d05df342cd2cefa2018ab96e3ee8726798c91c4f165af4728e8d0f2dd12b16f19a7b9c179e15649
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{3D103C3D-2EEF-4861-9A0A-0A5D631845ED}.dat
Filesize4KB
MD5bd4aa0cde1d38ca1c5a9f7e9b58f8123
SHA1dacf13759421fabff218f40f7210d2d298b534fb
SHA256f40895b67ed896aeec3d619e0c26d6231527e82ffd27ef114a84a53681515497
SHA51279928cd808d13080d9d2e0ac163b1217c65bafeba8c4efdaff98a61508a20c978948e15a23956f57d3ebc451ca9d279020a3a8ffa515bdb34f3c8318c1b3b011
-
Filesize
5.7MB
MD5938199ca646378b696716037afc964ba
SHA12d865bfeccf3badef2f64e5d6453e6ab71d5f5a7
SHA2562acc3e0879e4a71a6b08e2d6af7b238198d2eda73518b9394d82d00b010c9d7e
SHA5121a37727c5dfaffa3023845592b400acc226face537176064698b8415d79284b6276fe68bf0e5870dc8898a846f923bd95eaac1d185613759ad6ca1068456b322
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.30_(x64)_20240528091847_000_dotnet_runtime_6.0.30_win_x64.msi.log
Filesize2KB
MD51069f4a06c808bed50ff6e233c767108
SHA119ac0277aab4a42d8fff2015eefbf7fc9e3c3d61
SHA2563b95655aef616d3e2c2ff1258543fa7301a16d667d231f0346fe5b56f16dbaa0
SHA51254b6e4cad8669cb965fc2a1fc6e54cdd67cd83efac9ee05485ec7d666510057cee289acdff08e4ba8d633b2d942af91e163b012e267afa56566ba03644620d85
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.30_(x64)_20240528091847_001_dotnet_hostfxr_6.0.30_win_x64.msi.log
Filesize2KB
MD58d082fac665615ea49f19cd387a853ad
SHA199dfdc9d29accd71e904cc1478dce0f0a0824a24
SHA256d360f0db58d37ecfb785f16126d8b2472c90b2e68a05b9902f052d1cbf95e855
SHA512fdb30383177cebe6f24df1a43d49565b812cecf3a7df4631bf01c936678116ebf0180e4ac1a4c11713d882b7b96fa7836b904265c8641c90bf1af9f62f2cf386
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.30_(x64)_20240528091847_002_dotnet_host_6.0.30_win_x64.msi.log
Filesize2KB
MD52e3a345cfb8b69e617adebbbaffd8b9e
SHA1a1edd5baef79641da93ef246cceaa0eb8d5fcef2
SHA2564993db4b670d5209df9be606a8181825ecd3136a92318666252254e75539fefd
SHA512b6f455f1a2f750742011f5561da5e700648a53383ece8a3d8cf2adb5cc71e6a2873d9168df0465f3b45e14dfeffc2fe614b03df666e9eb8d1712443ed5d46dcd
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.30_(x64)_20240528091847_003_windowsdesktop_runtime_6.0.30_win_x64.msi.log
Filesize2KB
MD5b4f2b2919974e0eda72f6dd6c5d80dcc
SHA181f983f39999f70566fb34f52e129c147ba1f5fd
SHA25602efde80cdfff3765948264d91984cdf8edc4b505ea084c25ad18b4ab0829aa0
SHA51285582fbbabd8031e7de9ddebb27af5c59ee17e880b037b617b54d6b1a1932b7c9b21846eb9ff6e1af27744ae205088270b4cb3199f0334477c2fa14f1331e4dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5960c78ce48b8262b1446734c044de847
SHA12220b2834c4614bdddeb288cb521420013a0b188
SHA256352fbec889f67bdc73acf15b7e41fb547d950c164a42ddbad90c03657cad4ae9
SHA512136143f00bd0c9e838483f351be2fbb3dc99c8eca6da44e4df5752580109cc528cae4b5d5d792db0c2f36e009ab2d476e9f9e9558e4c8ef461763599b33f1bac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\1c08f94c-faf2-4b90-86ca-09d941a9a336
Filesize746B
MD54db96fd9e92e1c6f5b1b915756c6a7c0
SHA1100d31ab36c8eb10eb2704928f947af1c82e4875
SHA256489457fb0f2eb0706dda0f75bc8ea04cd8624611c7d83cd68b38be0cd9118239
SHA512b59fe26741526be77c8974461b25f37e49fbcc0707eadd5f5c2163b10193a14fe877b9d366c561f5289a10c3d2324a357b6ea665ca67f2b8a02746838cb8c4d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\27059eec-eaef-4d46-a5e9-2d28e9c05774
Filesize11KB
MD54de25cd9b26f763a7642a48ccd059a72
SHA1939d350b9b91d12be5d9f84feab079fc87fce643
SHA256ccee249980147c96aaa80d1b8620aca8b3610b70dd0bce4060ce9e67e8bb6dff
SHA512a0844e2e2989588579dee6d1126e668ec4ebc2af8a98d2b032ed17ff7a6e100c22917d4687418fc3ffa92d3163a3cb21f0aee74e08c1b88abace536a1066bbe9
-
Filesize
6KB
MD591cf568c4f261a3b3068f5592fd258e2
SHA145a688cc1a2b35665d86c4993a011244f1a5e40a
SHA2566e9eb1a94f237ec075c3d40965b6f8bf584ce2207edbebd0a9f6fbad4210002e
SHA512a1174d37109a64ca913185fdad2b24774ae64f730ddf78da2733fceafd59c9ae7bb14c08c6f67bcb2c0fd2bff1d662683983c33f82b11a7daeb0b2647a88de1b
-
Filesize
6KB
MD51e61341bde63c1e4088fa8658e43a146
SHA13b89790e4e0b965a978ffdc36d51fed8623f21b7
SHA2563116d27bbbe64a8b6f9b771785e1f8928bdb3819f8a3a49476ff875fc07a73c3
SHA5124a80ab6165599c9010ea14a79fc5652b9c33982808e14cea6e15e44efb86f10559ce3b95b8f2988fddaf8cb44c487d0fca6cd84b4f03a451e16fd4abb9aa0afc
-
Filesize
6KB
MD56ab11bf5e0536f3b3475ebb994ce164b
SHA1c658ad1eae5c457d47ce6c595ab073cb05b543f6
SHA256c15957cca503a945bc498f9e2f819bb795e82cd865d460a1a72ee9fc5701c342
SHA512db31f40aed8f72cdabaa1a5e66b91c3f72cb7b5e0722ae1e654e64580b231caa77dfe391c8591884dc12cb7e55611e64aa507e5887bebbe06213942ccaac6fa6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD55e1942ceb11a7f71fd850befdcbcf3a2
SHA1c10caf528fa38e278d76fce6b13813b065329106
SHA256dff5cf30636b8232a003fe97609294e7620c576c24559c01e3c3b286fea3a1e5
SHA512a69601e4c231254fbd5346a84502f062818a7d6b3ace7c8db8abc0fb6b1adec2a0f3b2a17e4def5d197fd5455efe4f6063d4a95d1af19216e0b7f2215c8e3c83
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5143bb1e0c3622c8ad7b3f13338bd75f1
SHA13a0fb12ac137bbd265200d213e27fad3ed6cec9c
SHA256abbd3b23b9ace748e96b45f3f0315a01648effccfad8bbe0e6afcc0ed7323f5f
SHA5122e4e19e327a496321fbd45ecf35bda5038c126fd253907d378c87a6f67205fdbc0264509c85ace4de7b3ede3519f5eb41c21416424a7b45575fb6eacecdccfb7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD55158c5d9c335d004beedc906728a53bd
SHA119d44febdfc71009eee2b2199d0b4f5da4b77e3e
SHA2561098f1c9d64273aa05fa1c3f3cffdc7bdedb04a7832bd4c3a9cd607ca0520688
SHA5127589d53864d3319b3526d796fb3cffb9ebb539062738b1cffa55d706f8b37b8e7d3b2d55d86524a93a7b83ae5ffda2d614e9e73fc06e678a91a0b5ef4c7e3fff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5d70f20df3efb98b49a782a54ca60c7f0
SHA1d79f0df1d573b49d0f66413348ba793aebb92a54
SHA2564898db9d90ed46f0119899104026ac8c45e1e253389d7d4812f499e1a2df787a
SHA51235f3f8e2e9b6ecd7956a4ab90f4a8bf2cfd29d52e31e4546fd8530a7e50faa8c91e56689deb22e0f4f7ea7e3ddba51c7ff7a7444e5093df68eda83c7898f987a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore.jsonlz4
Filesize4KB
MD5dc676798521a50cc3e30f7ba6c46e88b
SHA1973dfbd41e4d4f9abb49cbbe9a21455c118d439a
SHA256670785582c33c6b9c6b48ca8ff20e483b0e9399f0641412899808abbe2d160f9
SHA5122807731006830527b45d988438843aa1d2c327e7bfa04debf8395bc8d495e4dbeb2a54b6187424314f3606bca0c3d51c8599f82edb5d59f5abeb3d381b4f3f01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5637e42544bf4e4e5c858d87fceb302a2
SHA11d747ea0d89437cd39d02c76ed70df3b7c505ee1
SHA2565a519846989ec4eed303d9fe8b5554410b502177bb6b4199c6cf25290a4913c2
SHA512bde691d8015773707c4445155ba1ad419033c335bb11ca325b9c249e8aed83fefd096bab28806213ad368508e2a5be362c4a5a8038dae40246a8bf0a246cb8cb
-
Filesize
5.3MB
MD5f8abc05327115c321307efaf662498bb
SHA14d848adb9b0a5b278f97f75fa125145dcbffd572
SHA256c89eda2b48317bd4da398d59213d86afa0c06034cab5e3ea5df5865e369d2a0f
SHA512a6b70331ad553645cd82edc5f6bfa50b4bb16bfc2443469c7eb1ff79e6b4a246cfd7de0691da400777651529a2bca20311645a763dffbf7e10cc4334ab074ae4
-
Filesize
227KB
MD505794a97079226b97c0004407ba30117
SHA16d8035c43c90a36df0e6849270daff3e879c3acd
SHA25677da62edb2b6fa92c2ca4a5230c034f3e67423fda0cca1d95c039295e7485ba2
SHA5120c396873b6256b3a46aa4ea35e6191f6cfc3e33e9ee842fda30930e94e8a9b356dd58ce8b0d23d968dca979d66f9c7af8520546595963ee1c42f92c2bdc72d2b
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
Filesize
5KB
MD5d5070cb3387a0a22b7046ae5ab53f371
SHA1bc9da146a42bbf9496de059ac576869004702a97
SHA25681a68046b06e09385be8449373e7ceb9e79f7724c3cf11f0b18a4489a8d4926a
SHA5128fcf621fb9ce74725c3712e06e5b37b619145078491e828c6069e153359de3bd5486663b1fa6f3bcf1c994d5c556b9964ea1a1355100a634a6c700ef37d381e3
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
7KB
MD5e16471d0ed887f051cb5250583d4efa2
SHA161e8c0e85e657f9ff80474c69473bd73d5d6517c
SHA256ef759cfe5e4959eed29883167dc558e2e123439c45978bd972c3de67e8065e3a
SHA5126e7f1dfc706d6cbcab6229b70fa7ea10ebad8feb4161cb46119dd6aa2dc3265c3e156e33840fe488d37f096a99c2d035db79c101479d6d5c6a960cce80f05052
-
Filesize
11KB
MD5302563a713b142ee41b59e3eeac53a90
SHA11340e90cc3c6c5fc19a7feb61d7779f4a4f0fdb5
SHA25683ca096f7ba2c83fc3b3aeb697b8139a788fa35eb8632943e26bb9fff7c78e63
SHA512c9d4dfc20802bb542178300d1044bb94b35593b834ab0b50875a32953f890e48da456199128500e2c1fee26eaaf8c2c4fcaffb308b37914215f900cdd5c4cbc8
-
Filesize
736KB
MD5b26417551eb17755568f7ef57baa686b
SHA16de492a624e3fbb535297bd52a4389da2e8d5f7e
SHA2565f14f0a557f63c5bb4209d637421c5cfd8f8cb757f3a92f66bdb57a157b0ae7a
SHA512d523f83e704f9dca5a68b0ac864e4fdcf03e9f728c60702297c9ccd4d04416dbc61ce52169197d9b790e544f0112a33043333324fcd92b3b7dd615207a6a43b4
-
Filesize
804KB
MD58feacf4214d33dad5dd9b842bc38860d
SHA11a6fe21717a9f98bea3faafc17d43f493938d739
SHA256ced72729072a390028daecedb1cb144b004c3612df4fbbba9370887b71c75bfe
SHA512a8cee6d084fda8cf85ce80e2010a653569172a5e85ef2b4999d994d30cc2919c6b667130b082ff305a6bc5ead1b0dc62bcdd38368cb0c6690526c68dbdb07dec
-
Filesize
25.7MB
MD582b1b75983f282e345f7f73674e4f471
SHA1e125b7bff17dcfab4a063463cf51f1f17f7b46f5
SHA256e540a9646e80109e9a3b0274a3b86ede389c7f6c42c3d2f02c9ca1e67b70e9a6
SHA5121fac8a9b1c054ec1a3e04b32494b0793412e20769991ef8dd64abd5d7707dc66c931958ea3034ccd173afbf0d1152ea67c3c7e02ddf7dcb30d2338d168c41d2c
-
Filesize
28.6MB
MD58d4f43e61d0566cc9e74294356bedbfd
SHA1c7ed5529c7f4140441c990f0e55473ff67a2ea5d
SHA256ee4ebbea65504c21927a6c1cee17392ed0d99f87ed91742032e7345439c7b981
SHA512067f69f326786d4aa54d75bf903afd465ebf7a462cc14ffd2ecabcb01939295e01103bee212c1b7dacf76eaa51890cca3e16d0b25c58740487e0a6192a7ff928
-
C:\Windows\Temp\{BF2682B6-7959-44D4-A427-2B430C339FB3}\.cr\windowsdesktop-runtime-6.0.30-win-x64.exe
Filesize610KB
MD597950fc82256acf36e4c3eb9b995c291
SHA1e6ff02970de20825f58dd92937a74fdcbbe03bf7
SHA25636f66348df78764dffa05a821d0ca8a0702d2f44a8b49c7bea1dde8ef3a75331
SHA5124be20dba34e221fb5780c7b8d40662d74d2d2a69993ceddd48c876e1611158701523619c640c72c9d5e78f77e81797c8776118b23aee1dcf1eeb6a70dbe9ac92
-
Filesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691