83c4e5947870b7b9f06044624b420ddc9fbae6898a5c9b4420c3dbeaca508bb9

Analysis

max time kernel
1050s
max time network
1052s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

incognito.exe
Size

6.9MB
MD5

10bbd38c21ebf84fea97c3812d57d9c6
SHA1

293cec0d7f44151ffbf88dfe408265825f8bca9b
SHA256

83c4e5947870b7b9f06044624b420ddc9fbae6898a5c9b4420c3dbeaca508bb9
SHA512

a00ec8ed84b806c4aca8564354a6687da64b999d255df7fea4c38e6026c8a4cee665414e96d5e28904d051f4c1a6956193a96c12e52286d6d7f58f39bae8ac31
SSDEEP

196608:ESw7sghUuE1R1R9iVTdRUo/Rf7KG0ZLK+4eCA6Pt7R:PwDh10RsFzUURTclC5t7

Score

8^/10

discovery evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe

Executes dropped EXE 43 IoCs

pid	Process
3304	test.exe
1392	OneDriveSetup.exe
8	OneDriveSetup.exe
1760	FileSyncConfig.exe
2080	OneDrive.exe
5908	incognito.exe
6068	test.exe
5900	RobloxPlayerInstaller.exe
3096	MicrosoftEdgeWebview2Setup.exe
3620	MicrosoftEdgeUpdate.exe
5372	MicrosoftEdgeUpdate.exe
5092	MicrosoftEdgeUpdate.exe
2516	MicrosoftEdgeUpdateComRegisterShell64.exe
5244	MicrosoftEdgeUpdateComRegisterShell64.exe
5552	MicrosoftEdgeUpdateComRegisterShell64.exe
836	MicrosoftEdgeUpdate.exe
5964	MicrosoftEdgeUpdate.exe
3648	MicrosoftEdgeUpdate.exe
5816	MicrosoftEdgeUpdate.exe
3452	incognito.exe
5224	test.exe
5128	MicrosoftEdge_X64_125.0.2535.79.exe
1384	setup.exe
3312	setup.exe
2380	MicrosoftEdgeUpdate.exe
4376	RobloxPlayerBeta.exe
4788	incognito.exe
6040	test.exe
3664	RobloxPlayerBeta.exe
5644	MicrosoftEdgeUpdate.exe
5408	MicrosoftEdgeUpdate.exe
4144	MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
4484	MicrosoftEdgeUpdate.exe
5720	MicrosoftEdgeUpdate.exe
5372	MicrosoftEdgeUpdate.exe
1932	MicrosoftEdgeUpdate.exe
5896	MicrosoftEdgeUpdateComRegisterShell64.exe
964	MicrosoftEdgeUpdateComRegisterShell64.exe
5436	MicrosoftEdgeUpdateComRegisterShell64.exe
3660	MicrosoftEdgeUpdate.exe
216	MicrosoftEdgeUpdate.exe
5432	MicrosoftEdgeUpdate.exe
5716	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
3304	test.exe
1760	FileSyncConfig.exe
1760	FileSyncConfig.exe
1760	FileSyncConfig.exe
1760	FileSyncConfig.exe
1760	FileSyncConfig.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
6068	test.exe
6068	test.exe
6068	test.exe
6068	test.exe
6068	test.exe
6068	test.exe
6068	test.exe
6068	test.exe
6068	test.exe
6068	test.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel = "Both"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileCoAuthLib64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileCoAuthLib64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDriveSetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Checks system information in the registry 2 TTPs 30 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4376	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 42 IoCs

pid	Process
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\TerrainTools\EdgesSquare17x1.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2F8.tmp\psuser_arm64.dll	MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Motor.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\VoiceChat\SpeakerDark\Unmuted20.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Emotes\Small\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Emotes\TenFoot\SelectedLine.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\ExtraContent\textures\ui\LuaChat\9-slice\scroll-bar.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\ExtraContent\textures\ui\LuaChat\icons\icon-share-game-24x24.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\SelfView\SelfView_icon_camera_disabled.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\TerrainTools\mtrl_cobblestone.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\MaterialManager\Filter.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\StudioSharedUI\folder.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\InGameMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Settings\Radial\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2F8.tmp\msedgeupdateres_nn.dll	MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\Debugger\callStack.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\DeveloperFramework\StudioTheme\search_12.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Chat\Chat.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\common\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-instudio-14x14.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU93B1.tmp\msedgeupdateres_mi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\ca.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\models\LayeredClothingEditor\MeshPartHeadTemplate.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\fonts\Montserrat-Black.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\ga.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\dropdown_arrow.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\ExtraContent\textures\ui\LuaChat\9-slice\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\DeveloperFramework\slider_bg.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\TerrainTools\icon_regions_rotate.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU93B1.tmp\msedgeupdateres_ko.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\AnimationEditor\img_eventMarker_border_selected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\StudioToolbox\AssetPreview\Link_Arrow.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\VoiceChat\New\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\ko.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\MaterialGenerator\Materials\CorrodedMetal.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\particles\explosion01_core_main.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\TerrainTools\icon_picker_disable_dark.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\MaterialGenerator\Materials\Sand.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\newBkg_square.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\AnimationEditor\button_popup_close.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\DeveloperFramework\Votes\rating_down_red.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\ExtraContent\textures\ui\ImageSet\InGameMenu\img_set_1x_1.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2F8.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\PlatformContent\pc\textures\water\normal_06.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\localizationTestingIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\fonts\families\PressStart2P.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\SelfView\SelfView_icon_mic_enabled.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Controls\PlayStationController\Thumbstick2.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\ExtraContent\textures\ui\LuaChat\icons\ic-friends.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\avatar\compositing\CompositLeftArmBase.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\GameSettings\zoom.PNG	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\Debugger\Breakpoints\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\IESettingSync	OneDrive.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615802295261161"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ = "IFileSyncClient4"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ = "IFileSyncClient6"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\ = "{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\ = "SyncEngineFileInfoProvider Class"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ = "ISyncEngineOcsi"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\PROGID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\INTERFACE\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\FileSyncClient.AutoPlayHandler\ = "FileSyncClient AutoPlayHandler Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ELEVATION	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\win32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\mssharepointclient\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\Microsoft.SharePoint.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}	OneDriveSetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\WOW6432NODE\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\ = "FileSyncClient Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ = "IClientPolicySettingsEvents"	OneDriveSetup.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\incognito.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3128	OneDrive.exe
2080	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3128	OneDrive.exe
3128	OneDrive.exe
1392	OneDriveSetup.exe
1392	OneDriveSetup.exe
1392	OneDriveSetup.exe
1392	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
8	OneDriveSetup.exe
2080	OneDrive.exe
2080	OneDrive.exe
5900	RobloxPlayerInstaller.exe
5900	RobloxPlayerInstaller.exe
3620	MicrosoftEdgeUpdate.exe
3620	MicrosoftEdgeUpdate.exe
3620	MicrosoftEdgeUpdate.exe
3620	MicrosoftEdgeUpdate.exe
3620	MicrosoftEdgeUpdate.exe
3620	MicrosoftEdgeUpdate.exe
4376	RobloxPlayerBeta.exe
4376	RobloxPlayerBeta.exe
1920	chrome.exe
1920	chrome.exe
3664	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe
5644	MicrosoftEdgeUpdate.exe
5644	MicrosoftEdgeUpdate.exe
5644	MicrosoftEdgeUpdate.exe
5644	MicrosoftEdgeUpdate.exe
6060	chrome.exe
6060	chrome.exe
5408	MicrosoftEdgeUpdate.exe
5408	MicrosoftEdgeUpdate.exe
5720	MicrosoftEdgeUpdate.exe
5720	MicrosoftEdgeUpdate.exe
216	MicrosoftEdgeUpdate.exe
216	MicrosoftEdgeUpdate.exe
216	MicrosoftEdgeUpdate.exe
216	MicrosoftEdgeUpdate.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	test.exe
Token: SeIncreaseQuotaPrivilege	1392	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	8	OneDriveSetup.exe
Token: SeDebugPrivilege	4976	firefox.exe
Token: SeDebugPrivilege	4976	firefox.exe
Token: SeDebugPrivilege	6068	test.exe
Token: SeDebugPrivilege	4976	firefox.exe
Token: SeDebugPrivilege	4976	firefox.exe
Token: SeDebugPrivilege	4976	firefox.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	3620	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5224	test.exe
Token: SeDebugPrivilege	4976	firefox.exe
Token: SeDebugPrivilege	4976	firefox.exe
Token: SeDebugPrivilege	3620	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	5900	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6040	test.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeDebugPrivilege	4976	firefox.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeDebugPrivilege	5644	MicrosoftEdgeUpdate.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3128	OneDrive.exe
3128	OneDrive.exe
3128	OneDrive.exe
3128	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
4976	firefox.exe
4976	firefox.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
3128	OneDrive.exe
3128	OneDrive.exe
3128	OneDrive.exe
3128	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
4976	firefox.exe
4976	firefox.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
3128	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
2080	OneDrive.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe
4976	firefox.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4376	RobloxPlayerBeta.exe
3664	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 3304	684	incognito.exe	87
PID 684 wrote to memory of 3304	684	incognito.exe	87
PID 3304 wrote to memory of 1900	3304	test.exe	90
PID 3304 wrote to memory of 1900	3304	test.exe	90
PID 3128 wrote to memory of 1392	3128	OneDrive.exe	112
PID 3128 wrote to memory of 1392	3128	OneDrive.exe	112
PID 3128 wrote to memory of 1392	3128	OneDrive.exe	112
PID 8 wrote to memory of 1760	8	OneDriveSetup.exe	117
PID 8 wrote to memory of 1760	8	OneDriveSetup.exe	117
PID 8 wrote to memory of 1760	8	OneDriveSetup.exe	117
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 3796 wrote to memory of 4976	3796	firefox.exe	124
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125
PID 4976 wrote to memory of 1864	4976	firefox.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\incognito.exe
"C:\Users\Admin\AppData\Local\Temp\incognito.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\test.exe
  "C:\Users\Admin\AppData\Local\Temp\incognito.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Incognito v1.0.0b - public
    3⤵
    PID:1900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Adds Run key to start application
    - Checks system information in the registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1760
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Registers COM server for autorun
      Checks system information in the registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.0.1444682737\2029918735" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {560c78f1-628e-477f-9e1c-48e8400a93ce} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 1868 239744aaf58 gpu
    3⤵
    PID:1864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.1.678059331\2007279771" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b331e7aa-66e1-43ca-9e73-c4d5c7baf6b9} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 2436 2396768a558 socket
    3⤵
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.2.602447172\2066228075" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7177e101-a584-43c1-b645-a60b7442d91b} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 2996 239771eb558 tab
    3⤵
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.3.217502278\447724858" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 2744 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d71d140-d870-439a-9f45-c0fa7cbda9a8} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 3704 2396767ae58 tab
    3⤵
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.4.340626225\1392132316" -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5232 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02794153-4b7a-4ffa-9d99-92a02a121c19} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 5240 2397bb06858 tab
    3⤵
    PID:3288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.5.175939147\1383957661" -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6df37853-054e-4e91-adbf-774915a2d288} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 5460 2397bb07158 tab
    3⤵
    PID:4084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.6.1138037402\715009031" -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5652 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d0ae49c-9bf3-4225-8444-c1efd4897f9d} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 5576 2397bb07758 tab
    3⤵
    PID:4392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.7.716324844\1802729027" -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6256 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99bd34f9-3202-4250-b5d0-c20fe3a1d04e} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 6276 239737d7958 tab
    3⤵
    PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.8.1739311498\1097846090" -parentBuildID 20230214051806 -prefsHandle 6796 -prefMapHandle 1620 -prefsLen 28217 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7fe7849-29b2-4757-adc6-c4a9291238a5} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 6948 2397c22b858 rdd
    3⤵
    PID:2668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.9.38297162\26607933" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6780 -prefMapHandle 6136 -prefsLen 28217 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0907f53e-cc61-4673-adaf-cc583d1a3854} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 7024 2397cd6a158 utility
    3⤵
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.10.648064014\2133511581" -childID 7 -isForBrowser -prefsHandle 7372 -prefMapHandle 7364 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29802e6b-4fc2-42c1-9ec5-5e94f981a583} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 7344 2397ce71f58 tab
    3⤵
    PID:4548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.11.337373381\1388366343" -childID 8 -isForBrowser -prefsHandle 10888 -prefMapHandle 10780 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a95eef4-4621-4d99-8b77-a658cca96038} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 10764 23980719e58 tab
    3⤵
    PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4976.12.1094674644\256436080" -childID 9 -isForBrowser -prefsHandle 10928 -prefMapHandle 10840 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38a622eb-779e-4b05-a4ff-cea0f933ec39} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" 10744 2398071a758 tab
    3⤵
    PID:436
- - C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
    "C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5900
  - - C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
      MicrosoftEdgeWebview2Setup.exe /silent /install
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3096
    - - C:\Program Files (x86)\Microsoft\Temp\EU93B1.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU93B1.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        5⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Checks system information in the registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        
        PID:5372
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        
        PID:2516
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:5244
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:5552
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTlEQjY1QTAtMEJDRC00MUM3LTlBNTktNkZBODNDNUVFQjYwfSIgdXNlcmlkPSJ7NUNBNjREMzctRUVDMC00NzRDLTlCQTctMDQwRTlEMjdBOENFfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFNENFMDg3OS02RUJDLTRFNEQtQjFBRC05NDczMzM1MkI3ODN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RHhPYmpIR2ErblJhMmF0QzN3bytJRXBDNzgrWlllQVVia1hwREMyY2o3VT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4NS4yOSIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjczODA1Mjc2MzAiIGluc3RhbGxfdGltZV9tcz0iMjkxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        6⤵
        Executes dropped EXE
        Checks system information in the registry
        
        PID:836
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{A9DB65A0-0BCD-41C7-9A59-6FA83C5EEB60}" /silent
        6⤵
        Executes dropped EXE
        
        PID:5964
  - - C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\RobloxPlayerBeta.exe
      "C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\RobloxPlayerBeta.exe" -app -isInstallerLaunch
      4⤵
      Executes dropped EXE
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of UnmapMainImage
      PID:4376

C:\Users\Admin\Downloads\incognito.exe
"C:\Users\Admin\Downloads\incognito.exe"
1⤵
- Executes dropped EXE
PID:5908
- C:\Users\Admin\AppData\Local\Temp\onefile_5908_133615796210638802\test.exe
  "C:\Users\Admin\Downloads\incognito.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Incognito v1.0.0b - public
    3⤵
    PID:6096

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:3648
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTlEQjY1QTAtMEJDRC00MUM3LTlBNTktNkZBODNDNUVFQjYwfSIgdXNlcmlkPSJ7NUNBNjREMzctRUVDMC00NzRDLTlCQTctMDQwRTlEMjdBOENFfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDNTIwMTFFMC1FNEYxLTQwNzEtOTNDOC1CQjEwNzlENDcyQTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RHhPYmpIR2ErblJhMmF0QzN3bytJRXBDNzgrWlllQVVia1hwREMyY2o3VT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTEwLjAuNTQ4MS4xMDQiIG5leHR2ZXJzaW9uPSIxMTAuMC41NDgxLjEwNCIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjczODM1OTc1OTAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:5816
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{163C7ED7-232A-48AE-B98D-8AD743714A55}\MicrosoftEdge_X64_125.0.2535.79.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{163C7ED7-232A-48AE-B98D-8AD743714A55}\MicrosoftEdge_X64_125.0.2535.79.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:5128
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{163C7ED7-232A-48AE-B98D-8AD743714A55}\EDGEMITMP_E5371.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{163C7ED7-232A-48AE-B98D-8AD743714A55}\EDGEMITMP_E5371.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{163C7ED7-232A-48AE-B98D-8AD743714A55}\MicrosoftEdge_X64_125.0.2535.79.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1384
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{163C7ED7-232A-48AE-B98D-8AD743714A55}\EDGEMITMP_E5371.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{163C7ED7-232A-48AE-B98D-8AD743714A55}\EDGEMITMP_E5371.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.112 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{163C7ED7-232A-48AE-B98D-8AD743714A55}\EDGEMITMP_E5371.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.79 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff6750a4b18,0x7ff6750a4b24,0x7ff6750a4b30
      4⤵
      Executes dropped EXE
      PID:3312
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTlEQjY1QTAtMEJDRC00MUM3LTlBNTktNkZBODNDNUVFQjYwfSIgdXNlcmlkPSJ7NUNBNjREMzctRUVDMC00NzRDLTlCQTctMDQwRTlEMjdBOENFfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDMUE4OEY4NC01MzhFLTQ0QUMtQUYzQy1FQUI4RTg1MEI4QjN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI1LjAuMjUzNS43OSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzM5MzQ3NzYwNSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjczOTM1MDc2MjIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5MjcwMDc3NTEwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wOGMzMGM2ZC02OWViLTQ5N2ItYWQ4Mi1mODQ3ODc5ZTQyNDA_UDE9MTcxNzcxMDk2MCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1RQTJRNGFvWlRielUxTlI3NVdRRWdNRmVUOW5xM1hreVJXJTJmRnZUOHlNTm55MDUzcTlNdk9TSzBtR2VwdjhVUmFiN2hLM3QlMmJqY04zU1J4JTJmWm5id2Y5USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3MzcxNjAyNCIgdG90YWw9IjE3MzcxNjAyNCIgZG93bmxvYWRfdGltZV9tcz0iMTgxNTg3Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTI3MDE1NzczNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkyODQ4ODc1MjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk3MTM3NDc1NzUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI2NTgiIGRvd25sb2FkX3RpbWVfbXM9IjE4NzY2MyIgZG93bmxvYWRlZD0iMTczNzE2MDI0IiB0b3RhbD0iMTczNzE2MDI0IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI0Mjg4MyIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:2380

C:\Users\Admin\Downloads\incognito.exe
"C:\Users\Admin\Downloads\incognito.exe"
1⤵
- Executes dropped EXE
PID:3452
- C:\Users\Admin\AppData\Local\Temp\onefile_3452_133615797914285757\test.exe
  "C:\Users\Admin\Downloads\incognito.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Incognito v1.0.0b - public
    3⤵
    PID:1504

C:\Users\Admin\Downloads\incognito.exe
"C:\Users\Admin\Downloads\incognito.exe"
1⤵
- Executes dropped EXE
PID:4788
- C:\Users\Admin\AppData\Local\Temp\onefile_4788_133615800444342243\test.exe
  "C:\Users\Admin\Downloads\incognito.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Incognito v1.0.0b - public
    3⤵
    PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaeb55ab58,0x7ffaeb55ab68,0x7ffaeb55ab78
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:2
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:8
  2⤵
  PID:5224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3320 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1624 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1856,i,2903952762725372369,11066471551810267464,131072 /prefetch:8
  2⤵
  PID:5256

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4820

C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-d6abc3b106a04c5c\RobloxPlayerBeta.exe" roblox-player:1+launchmode:play+gameinfo:fGBMDTsv9VgMG7fEFQw_zn_2omiILUo05f5tb6x3MWqt8Tm87SyWpf7TA9NY03A93LfmHp2ejeqI0d6DW_EXuqRuRy0MgLP2nQuCEps-zDaCrkDqTc3rT9hsJ-GDI1nPjyR6Qiop-VQH3hiQuFEk-AV4p0KfeLEyAN7DgIKQBoVMMH6TKE2kJERPeOXCX3TZGSRoHV8vHJOi0DIhOEnYH8fKWW_siV2S_Af-4FGMzWQ+launchtime:1717106451194+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1717106046835003%26placeId%3D1554960397%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3Db9c1040a-581d-440c-8d10-a6214d5774d6%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1717106046835003+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp
1⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3664

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5408
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C937FC2-E341-4858-BB91-92E4BAAB83C3}\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8C937FC2-E341-4858-BB91-92E4BAAB83C3}\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe" /update /sessionid "{B7C799BF-7F97-4EFE-9135-2CB75EB88163}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4144
- - C:\Program Files (x86)\Microsoft\Temp\EU2F8.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU2F8.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{B7C799BF-7F97-4EFE-9135-2CB75EB88163}"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Checks system information in the registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5720
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      PID:5372
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1932
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        
        PID:5896
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:964
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:5436
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjdDNzk5QkYtN0Y5Ny00RUZFLTkxMzUtMkNCNzVFQjg4MTYzfSIgdXNlcmlkPSJ7NUNBNjREMzctRUVDMC00NzRDLTlCQTctMDQwRTlEMjdBOENFfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7QjUwMTgzMTQtQzFCQi00QjM3LUI0OTMtQzI2RjIyMTVCOTlBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIxLjMuMTg3LjM5IiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMzQiIGluc3RhbGxkYXRldGltZT0iMTcxNDEzNDkzMyI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE2MDU2ODY2NzIiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      Checks system information in the registry
      PID:3660
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjdDNzk5QkYtN0Y5Ny00RUZFLTkxMzUtMkNCNzVFQjg4MTYzfSIgdXNlcmlkPSJ7NUNBNjREMzctRUVDMC00NzRDLTlCQTctMDQwRTlEMjdBOENFfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxMUM5ODI5Ny1FOEVDLTRFQzEtQkUzRS0wMUQ4REE2RDhCRjN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xODcuMzkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iSXNPbkludGVydmFsQ29tbWFuZHNBbGxvd2VkPS10YXJnZXRfZGV2IiBpbnN0YWxsYWdlPSIzNCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA5NDA4MjI5NjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA5NDA4MjI5NjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNTg1OTcyNjI1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMjIxNjY3ZGMtYmIwYS00YWNiLTgzM2QtNWExMWRjODhhOGJmP1AxPTE3MTc3MTEzMTQmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bXRRNXVwV2NEWUtiNVNodUpReWd3a3dhR1lkcXg0TzFuNUZrbmdpV0hkU3RSRkhPOUE1OXBsYjROMVNwOTFsdGxKVFpXMmlUdkV1d2V0S1h2MmRvdkElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTU4NTk3MjYyNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMjIxNjY3ZGMtYmIwYS00YWNiLTgzM2QtNWExMWRjODhhOGJmP1AxPTE3MTc3MTEzMTQmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bXRRNXVwV2NEWUtiNVNodUpReWd3a3dhR1lkcXg0TzFuNUZrbmdpV0hkU3RSRkhPOUE1OXBsYjROMVNwOTFsdGxKVFpXMmlUdkV1d2V0S1h2MmRvdkElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNjIxMDQ4IiB0b3RhbD0iMTYyMTA0OCIgZG93bmxvYWRfdGltZV9tcz0iNjAzMTYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE1ODU5NzI2MjUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE1OTExNDkyNzAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByPSIzNCIgcmQ9IjYzMjUiIHBpbmdfZnJlc2huZXNzPSJ7N0U3RDhBNEYtRDAzOS00MzVFLTkyOUItQjI1NTMwRjkyNTA1fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIzNCIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNTg2MTA5Njk0MTM2NDgwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMzQiIHI9IjM0IiBhZD0iNjMyNSIgcmQ9IjYzMjUiIHBpbmdfZnJlc2huZXNzPSJ7MzJENThEMzQtRjIwMy00QjY1LTkzRjAtMTI0NkQ2MEIyQzUyfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMjUuMC4yNTM1Ljc5IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjYzNTYiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9Ins2QzFDMzE5NS1GMjk5LTREMzAtQjc3RC1CRTk3QkI1Nzk4MkF9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:4484

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:216

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
PID:5432
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0M1RjlDNDItQUNERi00MzgwLTlGQjctODdDN0NCRTkwRkNCfSIgdXNlcmlkPSJ7NUNBNjREMzctRUVDMC00NzRDLTlCQTctMDQwRTlEMjdBOENFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEY4ODNGNDMtQ0FERi00RTYxLUE0MUYtNUEyQTk1QzEwRTJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0Q2anhQZVVtS2ZoOHl0eTZGMDdZeE0xZVpESC9UVjZGUVQyZmZEaVp5d3c9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzNCIgaW5zdGFsbGRhdGV0aW1lPSIxNzE0MTM1OTQ1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNTg2MDg1MzMwMDAwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQ1OTQ3NzAxODkiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Installer\setup.exe

Filesize
6.9MB

MD5
365eb1aab5e477760126569b7f72f85a

SHA1
06aa9c213c163b7716644314ea6d3997f882ab06

SHA256
19dc1f8c7901ec057bfaf763d8354a07880ce6fa3093185c64b95d082f8055af

SHA512
0d34bc14ed5328f2ded1c48acc29872a2154db0c4c9072a098266a08c0d0b235705223f988e64e3fd418e9c62338560e33d7f3d9ae933f43da77763e88938888

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.187.39\MicrosoftEdgeUpdateSetup_X86_1.3.187.39.exe

Filesize
1.5MB

MD5
1f744e1c802560affe8b308640b6ab67

SHA1
bbfecefdf891c11d573760d4dabdf86091463421

SHA256
fa7d8a8cae60ab620d2aa887de62039d2647e4f5c1c649d75f0f52e14ec11a99

SHA512
780440aa518397e52bb429b5a8e7697bf0096db0fe343cd40a541b60f34ad4976ef7fc2204737d296a8c1fbed2951496503dc50158d6455617c67483f87f3015

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
5.3MB

MD5
529ac613c7ac1ddbaebe9e7d9f82eca4

SHA1
fc8cb991735a98a9663776a61cb9c185a3335f94

SHA256
cd6a5d746b5c36525d781e6d40368f87a3edc3ea157bf63fb55baacc51337f0d

SHA512
e2378819587ed7eb417d0375d49a55ef9292b9e8d22718a52688e3fad59d68a711281f25d1045a9da5442f2d805b9d98aedbf4278c9188208bb2edd917751e04

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
1cb46a725e588774290810a94328cddc

SHA1
46c8ccbbee2a22e18c9a02b9630e69b0f804aa89

SHA256
ef353e3e839da4f752a2fed88f72487da7344162c82ba9ebf6e87c7866dc0ebb

SHA512
5c852351b179152ae78900b505bc48a5242128a0734c8cc733613078b42d3d89352979597227107e8934bb77e030defa31c7f02c0b0f1be638d6dc53456f4063

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
101KB

MD5
297f812d7a01c813f2bf5acc3924db7b

SHA1
cf94b37cff242f687c27434e030bd73d00fadada

SHA256
d4010ac92e97caf6da6b08550768e005dd9b369470117cd76309b58b6efcc021

SHA512
c6be87a33b31a8a5dcc58cbfd03a45c96ced4e716f7d959e7acfefdce2be52cc26c28f9e8c8f7690d28e869fe19082bf55c8533f25d3cd34a684d852ac40a63b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d00d893bac206381029fa6e369de70bc

SHA1
e9a24b307558e8231505511881ca6f67a83ffbc7

SHA256
c139a416e92b6deefb72ea1f4c56a998dcd34d555807aedafd0f6d6f09b25d48

SHA512
df78ccef6c6fe0d6412c347e50fa42cfbed897f31e3e489f533978e11f39f60c0a8164cd1709d367b5ec16c1a744a676d389a5feea8de8b92f9d1c6c848b53c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
077b7ce1b00f08b1272161e1c6b8e606

SHA1
925d529096724a6b544c3bf6b3ed5c00b73194b1

SHA256
1aa4fa0fa7b833b1df1a983ccbbaf2eed466d27e7b10889981819b97e9994068

SHA512
a32107f2e74b54fedea341eadb2df15787f132bc28baf23c318a8bd3d1ca1d3ebd659dfbd3a9555efaf07c213c082cdf023d2e048d3b003b609f74a79db5a3de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6fbfa5ad8c10c2dd86e2bae53af6733d

SHA1
18429b8558d65b22c516fc96bbdcba552c4c75b7

SHA256
ee9ebf0ff2792235ca91359906e3ff70a45c48e5219652cad70fd35901529697

SHA512
c2909f3b84047ca3944a9caf4e4f930f253364035c95a1a74968c4f06c7a23640fef6be9616344a3051a29ae589f08a283050c9236c796b43dd773ec46eb73ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
391751baefecf76edbed64b403b8d582

SHA1
e47837fece0df12c9010e093a4d84a1a3b948a4e

SHA256
d0f4409cf6f4239da9daf2fb989aa14c28a62ce29160504f27f3002a4d357f32

SHA512
68e3c834871e477198928afe343c8dcdf4b44fe12a536db5d6e14617fc19f6a4d98121f9985ce03f0290a7fd0b8c356d226c72c47242e63312e7494fdc17c286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f409e37a29d0044f60556bbabc571369

SHA1
cd28eae04a11e6d10b0750dc4b0cd8fb7084ce23

SHA256
4da4163dafc7bf853f8e5cdc7b5275a2613ca4d0d9dda7d3be6c701399b53e39

SHA512
e7feeb2153c41abc7ee920f61d871b2a344f2800097f5f45257542cc97baacc5ffdd89c004308bbd284f6ff9d78a849cc40cc1c65a573430a17c1c816bd3d102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f2bcf8a9b65c66d6a94e131e1c3c428d

SHA1
540f4e22504869306a670f107cb770e1ef50fd51

SHA256
2099e54d819f06b1d0b781e7c2915e4323283f517d07e830470ccf1652516487

SHA512
acc61c2db9dd6594f11f6dc1862dd502ca7ab3576bc7b19df1c871e89a27e615e82a35928881c8e4f9a9f28887a645161beb1fefaf89cda5f807abb2219cafaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
87dcc17112c6d9aea09a599746907b5d

SHA1
b1da46664aae3ecb7c6c9899e3b4626933337ce2

SHA256
d6a8deb3a2d8bf9c141410f4183e6d80ecb586ccba4622d8e84d08d5579d25f5

SHA512
28e1adda52dfafdbafc97a051de9024b3ff50538fa05c88d10ea6f324067ce3f249cbc715f18896fad638f6ecd5546581b6e2b09871300bd49337ead15a30ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncClient.dll

Filesize
5.0MB

MD5
2df24cd5c96fb3fadf49e04c159d05f3

SHA1
4b46b34ee0741c52b438d5b9f97e6af14804ae6e

SHA256
3d0250f856970ff36862c99f3329a82be87b0de47923debefe21443c76cddf88

SHA512
a973bc6fd96221252f50ebb8b49774ccfd2a72e6b53e9a412582b0b37f585608e1b73e68f5d916e66b77247b130b4fc58bf49f5bf7a06e39b6931c5f7dac93ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

Filesize
553KB

MD5
57bd9bd545af2b0f2ce14a33ca57ece9

SHA1
15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1

SHA256
a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf

SHA512
d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncSessions.dll

Filesize
3.7MB

MD5
ae97076d64cdc42a9249c9de5f2f8d76

SHA1
75218c3016f76e6542c61d21fe6b372237c64f4d

SHA256
1e0c26ceecee602b5b4a25fb9b0433c26bac05bd1eee4a43b9aa75ae46ccf115

SHA512
0668f6d5d1d012ec608341f83e67ce857d68b4ea9cfa9b3956d4fc5c61f8a6acd2c2622977c2737b936a735f55fdcce46477034f55e5a71e5ef4d115ee09bfec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncTelemetryExtensions.dll

Filesize
58KB

MD5
51b6038293549c2858b4395ca5c0376e

SHA1
93bf452a6a750b52653812201a909c6bc1f19fa3

SHA256
a742c9e35d824b592b3d9daf15efb3d4a28b420533ddf35a1669a5b77a00bb75

SHA512
b8cfdab124ee424b1b099ff73d0a6c6f4fd0bf56c8715f7f26dbe39628a2453cd63d5e346dbf901fcbfb951dfbd726b288466ff32297498e63dea53289388c0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll

Filesize
504KB

MD5
4ffef06099812f4f86d1280d69151a3f

SHA1
e5da93b4e0cf14300701a0efbd7caf80b86621c3

SHA256
d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3

SHA512
d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe

Filesize
2.3MB

MD5
c2938eb5ff932c2540a1514cc82c197c

SHA1
2d7da1c3bfa4755ba0efec5317260d239cbb51c3

SHA256
5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665

SHA512
5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe

Filesize
2.9MB

MD5
9cdabfbf75fd35e615c9f85fedafce8a

SHA1
57b7fc9bf59cf09a9c19ad0ce0a159746554d682

SHA256
969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673

SHA512
348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveTelemetryStable.dll

Filesize
1.6MB

MD5
6e8ae346e8e0e35c32b6fa7ae1fc48c3

SHA1
ca0668ddb59e5aa98d9a90eceba90a0ee2fb7869

SHA256
146811735589450058048408f05644a93786a293c09ccb8d74420fb87c0a4d56

SHA512
aa65ef969b1868a54d78a4f697e6edbded31b118f053bbe8a19a599baaf63821dc05f75b2ac87452cb414ab6572b8d9b349093931e64601c47f8ebbb49c431cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll

Filesize
451KB

MD5
50ea1cd5e09e3e2002fadb02d67d8ce6

SHA1
c4515f089a4615d920971b28833ec739e3c329f3

SHA256
414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902

SHA512
440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll

Filesize
432KB

MD5
037df27be847ef8ab259be13e98cdd59

SHA1
d5541dfa2454a5d05c835ec5303c84628f48e7b2

SHA256
9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec

SHA512
7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll

Filesize
425KB

MD5
ce8a66d40621f89c5a639691db3b96b4

SHA1
b5f26f17ddd08e1ba73c57635c20c56aaa46b435

SHA256
545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7

SHA512
85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\ucrtbase.dll

Filesize
1.1MB

MD5
7a333d415adead06a1e1ce5f9b2d5877

SHA1
9bd49c3b960b707eb5fc3ed4db1e2041062c59c7

SHA256
5ade748445d8da8f22d46ad46f277e1e160f6e946fc51e5ac51b9401ce5daf46

SHA512
d388cb0d3acc7f1792eadfba519b37161a466a8c1eb95b342464adc71f311165a7f3e938c7f6a251e10f37c9306881ea036742438191226fb9309167786fa59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll

Filesize
73KB

MD5
cefcd5d1f068c4265c3976a4621543d4

SHA1
4d874d6d6fa19e0476a229917c01e7c1dd5ceacd

SHA256
c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817

SHA512
d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
38B

MD5
cc04d6015cd4395c9b980b280254156e

SHA1
87b176f1330dc08d4ffabe3f7e77da4121c8e749

SHA256
884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e

SHA512
d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
2ff4df04a386000489407eb174635a6b

SHA1
1cdc796439928a76503b09b67e2bee602a5485cf

SHA256
92842baa9b97def3dbd28c2679ef0c3e328a3ba6d38d3c236e02c495aa88be4d

SHA512
b60810ecd161644ce5f15ea1e3921674d2e5178fbfb12b242bf0aaf63995478d289fc1a9e863c95a5c9c5809a991d299a0786988858da5f73b63cd4ad954afc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

Filesize
77B

MD5
0724e6f574bcd31e45392321abf90d7d

SHA1
3306a9495658163367b22d1a10e80be32b8b46b5

SHA256
2ac1e0c241afeed6487ab9ff4a0710e640bb13464f251fa415d68dd07e9ed771

SHA512
8b6b2451f4cf2b694d6171ed6cebd1c51c1444a8bb639a080812eafe9a4426e468d919b0e3a353ae91f1668e0c6cc6a302b4c47b9475ea3779f303a70f80b2d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K7TNQP8W\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
7c0da5a4462d0b32ab54a4b50d4dd809

SHA1
fecd6e297ba663afdcef6b1b0d7ba0ff12cc5361

SHA256
30203555abf84fefde0de802b164cd02baea10654354467d080870a33a23cf61

SHA512
0754f5dee944effc77b24bb08caae7efdd662a9d790ad65d193c6a53774e1ad962d3daca33c891263155ba7cdf333c747d92fcb4cb2675ed2bea0907ecd116b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\10591

Filesize
11KB

MD5
83eb355611a913eb8659a4195ec8d36e

SHA1
cce45b4a5a7193098b3e117024b591d328da8833

SHA256
02fa9fdac89dfb204896f62aadfd410348508f9e73f759155f1c99381d8041c0

SHA512
05b39138a26efb29bb29eff6e18d27d838ff1af184e6e80b894c269ef8fbc5b46491bf2ce5b01e80f59ac31a5e293d37ec9ec05269b173a3313670f1bb48da28

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\12822

Filesize
11KB

MD5
90e16a88784d506f5debff95a9c99b6f

SHA1
ca15234aea78fc0ccd777e7119147389db44a95e

SHA256
a46f9612dee2d17a7b8d055bc48e3d3ce46732e8d00728cbd9741fb8e683e970

SHA512
edf76f83776e27d367a296bd4374eae7ec62beddefcb76b84d411ffe593d4e84827d81a765e1d663b00c960b455693f849b3ce822880d16eb6b7a475e50eec7d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\1354

Filesize
10KB

MD5
cb16712ab55dd941526c700842462431

SHA1
a934e265d7bc8ff0652540b5b9ea8d11f69ef798

SHA256
873c6a007e5fdbd916771cb15fc62f6883f165a6d9898f8cd611a6ce55568edb

SHA512
c49551959cce2bdef43433483d88051cc9fc37b4f9c2cb6291344a56b0f4171564e49cf248475b63e265c92932992c3d3d313e2762a99469cf811376023de863

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\13944

Filesize
10KB

MD5
2a8852f6b30fae92840000034cbc48d7

SHA1
746923dc78eb006b48c51a0f45d2e8dfc2174eb1

SHA256
10cc6f441f1d08acce5ea0bc2509f8e278c0abcbada1f6a574df33fcd6d752b1

SHA512
7344d4b49f298aafb8b928c0d907852fd03bb74e411cea390fed221285c470401c3d7324800c377a5b195d935161e1dac9549755bff23967899d42f84e7d1a57

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\14192

Filesize
10KB

MD5
887922c816f47be94aea7c0a649707bf

SHA1
9f3ca826dc84efc4db0b43c48abc8c943a792e61

SHA256
9ca0724072f9ff07e51d16ccdc6d990d20c468226383d3e417cd679f3481f70d

SHA512
af526a77b56ffd1f4e700b2b0193312b9a5b1dc659794ee6943f041f6ff48b8bff729786bb475a04a28033487987022fbe550d6aaad6da0bd8e60c22dad39591

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\20475

Filesize
10KB

MD5
f54d29e733ba2e24708345710433732d

SHA1
2c07218b7609bfba19ffbfb9b3743ea39dbf28e4

SHA256
448ec7ec9a855eb7300924bd890c341373dc8659531ca5114ebde18f0cdca5b4

SHA512
915e1f373bf5e94a0289c707f869a0ec1d6ab87c471c03a3f4f4a64ca7cc695bd14896912e7fea24ebff523cc580842060de2d3e273d4777e0470e0f18530144

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\20712

Filesize
10KB

MD5
925b8a246550b36de4ba18d1457e6fba

SHA1
2f435589b53b26bed25d9009c1777d620bc61ff8

SHA256
a9fcb8b6edda8e91257886f4beeccdfafcfdcdb45a3fcf30fbeabb6c1218bf85

SHA512
2042fcf7eda3d08df55baa7ecf8b38bd4b4029cf1bee109d3df6a4c09526e1604c86f86bb57ddbb542c0a172c3056d527653c2b6428efe9dbf5d8fffd613ba33

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\23629

Filesize
11KB

MD5
cd4245013803067444005e076fabcb16

SHA1
88aadb769481cbe217ba4d0eebf1854daecc0b87

SHA256
70acb84e320375c6ba0566c379cb2a34271d7557f8cee9b0c11fa28f6986fc1d

SHA512
eb9b397487ac641287be66568ee3c327cd38c88af5e08a618203997cd317c1fb3d680adaabb086910ceb271bc55e0a96121df0485980ea3a6b846dd3f9a5ab14

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\24001

Filesize
12KB

MD5
3118d3febae55509355b6b32ea3f9aed

SHA1
036a101fe06969ec2e5f86a969eab4259fd5e217

SHA256
36887395d87d99ab093c53228a13d19e063e149b71c44261918d6bf6663f0e47

SHA512
2f7a07498f763199df1e099ec50dd036cb53bff477ff00700de9a96d23f44cceee08b68cfb3a07535f958d8780ba7f8e066fca6c09f63273c69bfca5cf2f67ff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\25997

Filesize
10KB

MD5
89fd93de9a4314dffaac36658bbb88b8

SHA1
f1586a84a269ecf20ba292fdbea8142991773a2a

SHA256
dbf837306bdc5f72921a4de3b96de0fbb406ffb3067d80319a0defddcb290665

SHA512
638ac389765261cd9152ce6094f8e4a511c6725a6535575e73c61aeb6945960b45c154928d3c291b9b0dca0defd1c5d7c557cec513e0176266e83659a8b734bc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\27769

Filesize
10KB

MD5
fd8099c45a3779f78cdcd23fd81b6141

SHA1
4aaa1262a4629b99a16652f954620dd8eb2ed503

SHA256
3a5778fe8d165a140a0219486e49db50c5ff1f15796ecbbfa4b73fbcc157778c

SHA512
e92338d5cee2892957d5ba213d834582502fcd668eec08f6f67183ebedb98a1bbfafeae180c738d29776f3858bffa6bda425083391311608051d2dbba5cdb5da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\2801

Filesize
10KB

MD5
8858da528a730db5d8bc59608de7be2b

SHA1
e7fb19b76f361b18b9ae1db1ed9d45d5a889e5de

SHA256
08fa1a04a53b7c6f16426023a628b1f9ec610721dee711fb4b66aa8c3044b794

SHA512
d5dd418626e7fe43f6caf529efc723bd3528cbb3474c8238ee003295a21a29ee570399142565be2853c07ede428ec3325829c5bc0ee73315c705d7d6b7756307

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\29699

Filesize
11KB

MD5
42ab4dd4e857b39c5ddf88449a1f30b4

SHA1
180260088d76fa8c59c044771a8fd390451e14a2

SHA256
3ff62a46188efbac4c7b73aa0df83cebcd51fb232e49c1c1add5e7c438a76832

SHA512
1cc43b5d49f8a3495d0f221c82b41cc52e6eb17e369f19109904a04c1e6927e05632eb7185c7e52df529431b554046d29cb0f36823785b85022a82b49cfd52d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\32764

Filesize
11KB

MD5
d9ec991f9693f85d357663fce02137e1

SHA1
453294c844fb119a458d6afc985279bc0efba7ff

SHA256
e7aa0dce573a4822540533040518fbb1c5be0d929e46534f6fedbfd0fa77b096

SHA512
95c41f8cb7b223f6ea168ea97ada846a63b64dd57260a217db5eadaa805d8e96482b561a32f53cf35e263f59aef8207bd4c665962abebc9b968007b9769c003d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\4260

Filesize
10KB

MD5
33db33cd52bc60e565977192ead44b1a

SHA1
21a2d27b54d39f041e85efef8877a3d96c0f92ca

SHA256
5f6a2f5cbf1e9ecef90a0afaeccea78acebbb58ef85802ce5d7c12968678f737

SHA512
bcfbf5798cb346034bb2f25f1832a6faeb32bef5f49602a79fff9cbe3b7e1e3730e7a21d7c732af43d95f3fec0bb8b1b2dd1d6247b3d54681dc70fc2818ffc36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\4484

Filesize
10KB

MD5
024a0260e2355f4d2ebd4fa75f7e791c

SHA1
9a2fcf6b59cae5f4a7c9773b8a1dbb4a49a11eff

SHA256
3e493a07b9ec49fa79847dd18b0e625b706124adfaf0a09d94ac818fa6b9a38d

SHA512
defb1bad949241e0b63d641fc0807d236215daa73b2937d599876aec38328afd2901cd464791ab334072b70b849f6dc349ea41c340c2f8ad4d31a7dc12a626ff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\4726

Filesize
9KB

MD5
c5febdb7cdd2a16f212e1f22d463806b

SHA1
0ee5075b36c48e80758131e6b0eff4a1ea9e5b92

SHA256
0515d918be7f099e14a5761068edfb3352d6cd8aea6632534ff51bff6202e216

SHA512
5404b211f792b182d65342a942cb882adfa3707299fea7aeef2886fd19a2fa6ba09fb8ede52bd28e457ce9e0a34c21b5a4a1630947ecd8044d15174918b51b8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\5045

Filesize
10KB

MD5
616e7432fe5ce1ec8f0dcfe30ea2c061

SHA1
290c9fb0b77dda9b3ff1b30a5d484895277dc202

SHA256
fa181a9417f6e0c9e2bc71275c8ef6172ecc718130fb8a5d4f8a0aa7d74c5593

SHA512
c71adbba45960dc2d834f267b4322c48e9482cee114af63658aa15f9cb8ba6eb9efa83905f0f9f73416a3afd49688ac98b273790f364aad751ead58fcf54815d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\6852

Filesize
11KB

MD5
2aa2360f4256d8584bfda614ff54dfc4

SHA1
1c1a121d6a5e05762de90cb163982c54d051b3c7

SHA256
5d2bcbd3d75952710516c607107b19dc57d5f0b247ec2a5e3c40de44ce2ee76b

SHA512
d1cad1560a22bc97416693d82371671073d9e13dc5d9edc1a82136d3a2dac354628e3d35e3b88ecca9e38430b941f8e96f729a546461cbd1b25164ca8c69e362

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\doomed\9221

Filesize
10KB

MD5
0457b46c100ffee1272cd0d6b9d4b55e

SHA1
0dda20af36961f5fe1d5740912595d4e1d436e7e

SHA256
e4d68d438053b52efa0c658da736b1a5b0a0ddc7fa1939e1a8b6fdea551fd474

SHA512
13bc7982053a6ab5130275645a4527432f20cae7e837deca720918c0043ade3f078842df303cea2bcadf466ef2f01ad27d7b31dd2c48eb041494cd51b9d2fac7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\entries\4EED77ABF2B13446DC47048EDC01C87DFC8AFFC2

Filesize
32KB

MD5
fd9e899d6e375aa79b71cbf90346b150

SHA1
2802ebbf89f23ab5bb23cdfea20f521976200428

SHA256
d317ebf93d894f2b8ed9a9630d4be9e30380b4c1aba040fd602c91a0b4d27c57

SHA512
86cabcc0b29b195719b26f43e185f7699af05967eae9b638869986ace969bbae63cede11ae561907c15361650b56e75e3ad24919e64b7f2858321e33206ce3a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
2cc78db6e0a33101c6f8ad4a37c2a8fa

SHA1
33cc35f712067dc7e7d794d2a5a8806f8fb6d968

SHA256
f9f170cc72596ef5dacbd149f0a2e238e5ad35d5bf77c3cce8fb813639630a8a

SHA512
f45522006d8c427314e03d0901f561eb1d8fdf85c2368b6b39ca513fdc847be14fcc85114e2a31648933d9034097c5aa94dc133fbd5da6f9e26737d86b0bd9f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
34eb3e862a009f3a20fc9ffd1ae3bdb1

SHA1
4a2a25d9ae2b2b7974f01dc16148945366b5bd5f

SHA256
c4afbe9599a57ffec37873dae8b5c71b0489fa5fc6f05ef8981bd45c73ce8f80

SHA512
044f754a8653f7a128eead3d36e41c450d93ff1183b379e863a5b0d296caeb62efef85fe04216802a5e1fc3d2341883a29b199e61aec3f86b2500e5ae9f13f0c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_finance.json

Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_games.json

Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_health.json

Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_online_communities.json

Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_real_estate.json

Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_reference.json

Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_science.json

Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_shopping.json

Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_sports.json

Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\nb_model_build_attachment_travel.json

Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\personality-provider\recipe_attachment.json

Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\442b78765b051e21bcf04e926b87079e

Filesize
5.7MB

MD5
442b78765b051e21bcf04e926b87079e

SHA1
1a22cf8c593231a6963bf2a624bf105420d4dae9

SHA256
4387634feeb838cbf3156a553ff0914b3cbbc3369a1179a3c6fa57c58b755017

SHA512
da2fb23108d05193776703addfad8887fa8455e5a1de441fa2a53d1da6142559f19d1a64910d88643b73a23e12fa09b6cb04f3df2aa007edfe0a4adb8175feaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32api.pyd

Filesize
130KB

MD5
1d6762b494dc9e60ca95f7238ae1fb14

SHA1
aa0397d96a0ed41b2f03352049dafe040d59ad5d

SHA256
fae5323e2119a8f678055f4244177b5806c7b6b171b1945168f685631b913664

SHA512
0b561f651161a34c37ff8d115f154c52202f573d049681f8cdd7bba2e966bb8203780c19ba824b4a693ef12ef1eeef6aeeef96eb369e4b6129f1deb6b26aaa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3128.log

Filesize
470B

MD5
fc11d6d7ab245e582631b79addb282d2

SHA1
34071e151142a739a63c2d8ed4d4cc3e0a39abe9

SHA256
f9cb5f9d8afdeffe16d3ab2eed654332fe4564acb8afece58193c9e06d8c552f

SHA512
5f8e60ba14bb4b06d0237cbf57a7e4f45a1fef4ca0ca19bb5d3ce1b7609c18a996b46309b652cf99a9fb2acfb9207062a0090a05b3b571ab8f0b439c4697a5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3452_133615797914285757\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3452_133615797914285757\_elementtree.pyd

Filesize
123KB

MD5
63629a705bffca85ce6a4539bfbdd760

SHA1
c5bf5f263e4284766cfb27d4b7417e62cce88d12

SHA256
df71d64818cfecd61ad0122bea23b685d01bd241f1b06879a2999917818b0787

SHA512
c9191b97fa40661fc5b85fc40f51a7177f7dc9e23acfc5842921631ebb7cd253736af748108c5afc03683f94fbf9c2f02fca7415303f7226f1d30c18e2dddb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3452_133615797914285757\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3452_133615797914285757\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3452_133615797914285757\pyexpat.pyd

Filesize
193KB

MD5
1c0a578249b658f5dcd4b539eea9a329

SHA1
efe6fa11a09dedac8964735f87877ba477bec341

SHA256
d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509

SHA512
7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3452_133615797914285757\pythoncom311.dll

Filesize
654KB

MD5
f98264f2dacfc8e299391ed1180ab493

SHA1
849551b6d9142bf983e816fef4c05e639d2c1018

SHA256
0fe49ec1143a0efe168809c9d48fe3e857e2ac39b19db3fd8718c56a4056696b

SHA512
6bb3dbd9f4d3e6b7bd294f3cb8b2ef4c29b9eff85c0cfd5e2d2465be909014a7b2ecd3dc06265b1b58196892bb04d3e6b0aa4b2ccbf3a716e0ff950eb28db11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3452_133615797914285757\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
3cba71b6bc59c26518dc865241add80a

SHA1
7e9c609790b1de110328bbbcbb4cd09b7150e5bd

SHA256
e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996

SHA512
3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\test.exe

Filesize
9.6MB

MD5
5244aa93f4209963f6c63e1ef9dde0b9

SHA1
642219eec726127fe7fbe9ceb5e223dcf46fbe46

SHA256
aeca166d5d3da9e76957686ca8753e95b930d8508f825f3cc6b4bac28da6e142

SHA512
e510165f98b070ad3c202734833230779fd95585d28b0a9873afbb5022f488c85e935b7f366a92b89449b42106f4ed76997cac16994386560bd45021d368e28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\vcruntime140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\win32gui.pyd

Filesize
212KB

MD5
3c81c0ceebb2b5c224a56c024021efad

SHA1
aee4ddcc136856ed2297d7dbdc781a266cf7eab9

SHA256
6085bc00a1f157c4d2cc0609e20e1e20d2572fe6498de3bec4c9c7bebcfbb629

SHA512
f2d6c06da4f56a8119a931b5895c446432152737b4a7ae95c2b91b1638e961da78833728d62e206e1d886e7c36d7bed3fa4403d0b57a017523dd831dd6b7117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_684_133615794754154010\win32process.pyd

Filesize
52KB

MD5
936b26a67e6c7788c3a5268f478e01b8

SHA1
0ee92f0a97a14fcd45865667ed02b278794b2fdf

SHA256
0459439ef3efa0e0fc2b8ca3f0245826e9bbd7e8f3266276398921a4aa899fbd

SHA512
bfe37390da24cc9422cabbbbbc7733d89f61d73ecc3765fe494b5a7bd044e4ffb629f1bb4a28437fe9ad169ae65f2338c15d689f381f9e745c44f2741388860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CF.tmp

Filesize
35.9MB

MD5
5b16ef80abd2b4ace517c4e98f4ff551

SHA1
438806a0256e075239aa8bbec9ba3d3fb634af55

SHA256
bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009

SHA512
69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
15KB

MD5
92627aa7fdb137dcf7733746aaf52d25

SHA1
95c6369cea3b457ee138ed20bf6628a8e20b20ff

SHA256
6b52b13c0ee3742fae4193f583711c119f3451239a6221bd9722467757f5d91d

SHA512
87592340d8306c0bb1f301f67de0cc64b764391553e899b65955936be6c51cb043882c25f16b3d3f4d2c9f10e921df387d06e5c1dc2fa75a8ac80b7fdfe04373

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
17KB

MD5
0c49655bb60b05e9d0d7c884b533482d

SHA1
e1af8d46542755b2a2cda4cf2e55e9b958b67c5a

SHA256
32b3d492096b45ec42b751674d7b9c9051e6845cbc8a35e484e75fba75df10ef

SHA512
bbd12a251a9f4c793a05ecc36e588fe75bb910aa7d0fd3bb9e23d0a904586ab333a8008d45cf2016776672ef5a803df04092b566b432188eccb6013d1f01cb74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\AlternateServices.txt

Filesize
6KB

MD5
2ec50bd95bbd13c37707e687cbead669

SHA1
69ddb0765316923ac10e273c2baa136d58e2c153

SHA256
7b5cb459ddc088f320bd705a5228473fcaaf6b08c25884a6295c564bed10378d

SHA512
91ee56cb7ff7bbd4d5283d427b8ef26fc2660b3ddf3ebd5a442c51efcb54caf489ec4e8ae7a613252b2d1cc548b32ed9a969c56e472b63857eeec9af8ca13c32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\bookmarkbackups\bookmarks-2024-05-30_11_t3vonNAMKDZTnj3T-rg3tg==.jsonlz4

Filesize
1007B

MD5
d09efa84885575f380c26bfdc5465040

SHA1
90195dffaa198e69477fdaaada7447eb5099bf96

SHA256
f210e3fe29a0249006a75b844244fd9e842263e7c08206194db238150d4fe885

SHA512
417b52e0f2fd8b8e401a21a4a2b3aafcb2e4fc6c5727fc50df7591e0092b3a9b543a8d541fc2b20e12b79240613866c82f06552d2461fd499b099f4498cd135c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\broadcast-listeners.json

Filesize
216B

MD5
0b8b0c1a7f5d60788c9cbd4ba51c4416

SHA1
63ede61fb32dc914af5d51cff3389fefe70ca1e2

SHA256
c171de4c0a9d30497de0ab6bc8ff03125f5a1feb531d1fc6411aca9f63335bcf

SHA512
22ea404b8b529b9187f7191322828712b4ea01d3cb4e6a86e9e738273bef21542ae0932fb2a05ee5f51c2919334e3b4e1323a338ee397b2a3eddab233d69dc78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
63b1bb87284efe954e1c3ae390e7ee44

SHA1
75b297779e1e2a8009276dd8df4507eb57e4e179

SHA256
b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

SHA512
f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\extensions.json

Filesize
40KB

MD5
16d11c9bf1ad0c2a760609f7883d70f4

SHA1
02bd3b2a3093cd34ed92526e9d696ccc289a4b3f

SHA256
30c2d365745cc14c487cf7355d9385f7fbde2d94a3c4a52344a599d9ffe44217

SHA512
bf1ccf727c1555c07768c8c1b1268ca9fb171b43d45a80b3942d971233ccf91e3b6f4e6d638f3d2cfbf7a57be6f7fe30ce7d825ec9c364555e48e13f452cf091

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\handlers.json

Filesize
439B

MD5
6744af7e249c7fe04774492eeb4a7c8c

SHA1
e1c21b64b2fb0181a5309c1bb2b5de477fc4bf28

SHA256
2cee6554a5acf4ae1a67cf258ca73443656828f7dda1a5f0004dcb7ab77fa680

SHA512
875661b98dbfd0c6bd574868f2511fbd56fa98cc8e1f3b901d8e41c60d93cb9de1bc8f48524043eae4a55ac5bc1090a58e3a9a5f0d6bac3aa16ddf5f29dbc050

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js

Filesize
7KB

MD5
7002e67297c9dde0d23a516e76df44cd

SHA1
b7a50999747d0fe50bd01ad2f5fbbfd9610d7934

SHA256
e7ddb73f7367aca25a8c848e462e89faeb1bd628ea6afa73dab2cc2ec322d036

SHA512
0832fe0b7d7ceb35425d63755887da0ef0ccf294f5eaad893a129a52c3e06c3c83aef2b3285dd0c998b785798176516699ba5595db73a65982ebad3b0aa52add

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js

Filesize
6KB

MD5
1adddf5da858df0135304c4244cf6f4f

SHA1
db12bc2871ab3d160ae5b275c7b5e313156815d1

SHA256
20ecea07d7f516fbb1fbf46a4b6ed277fa315fd6c29115f4302f95a0977ff8aa

SHA512
a3131991d89cece0e4b5d2a6866875def636a6a4bd92f05de56a9bb5a42032ca6e52d96e7c1ccf13f564ac393c6fc1c18422f834f41900f4af4502274fa0efc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js

Filesize
9KB

MD5
2378c9c1f8a1eb30f1e17870a5cf4d50

SHA1
d82e8a1efe2c4a185655b410de1a98438ac5f81e

SHA256
50940fa24d8990ff7042f4faf15f5a51a51188ad30ce3be1ba424e98bbab7189

SHA512
153266a5aee70b0746e1c57008fcb1a1e5e834f25b23e49aa135f5f0334dc60b243c38c9cbbfc212190f2887833fdf3a2a405901079f3437e28da645b845eb29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js

Filesize
10KB

MD5
22507bb7db01fadc25ef5a651b293892

SHA1
1e2082da3e5a92d668e4409a3288d45dafcd3801

SHA256
455033b0200d5ffb2661f41d1e37db20b0dd16daf98ae2c5399552597c9a9555

SHA512
9429a6c34446816c40cfeac7c470b44850af008966896bbe26f4ec16b8125c319f93d67b219a6b8625ae33b7f41379e6e798c2089bcc2d25eb0fb77c1d7a4de2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs.js

Filesize
6KB

MD5
5181f796569cde47d894b3e43c91ffcd

SHA1
c37fa21de8375a8f1073ead167e8606e08a4d12e

SHA256
094b287b517993dc3807f10b4e00031f9ae69b915aad991ef80aa193e5519710

SHA512
86b247f729cb09ad7d5b839944fcbc946df6ea2f27f5d03c5b7667a11e0020a282380947f5591f1b5a5565faaccb03b48286ce0a5367813f0161fdc0ff078406

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs.js

Filesize
7KB

MD5
21cb754a8554ed850dc39c27955a3737

SHA1
dd73e7d4e960341b67dbb2dca565a6124c82bd85

SHA256
fbbef45cfbb0c90e193481199fdd1a2297e007b205e94af7d0fbbbd4864078ab

SHA512
214408d1d3ff644c7259a6b3f59913e108a179ae2bacd9983518de40a0027d620274fd3eb2119af32565080d3ac9873a4725cba02927e2d4116abb7c368da3d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
37bafe3243ccd751e8e885714f374552

SHA1
8ada5d926fbba62876bdc0b23c7415ef5d36d863

SHA256
782cde7fc76f267bbc5fb777502ce724e6bc2516fb06c9b7b4245b8b599a2aed

SHA512
d2d5e5633e40314ab79f652b245e53f8c07794e2650e0aa66bfba9405d4cf1d48937e2d0945d722cd709e861efbeabb9fbe90cf61c2638266834eb7159d101ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ce612508548f36e331993a120072547d

SHA1
b2f078d4f4f981b6c0de9275840373973c09fb3b

SHA256
d876fa0b9a02294fa7c7bcc7c176b6dca84b4d521ccdc24b3f2c4060875033e7

SHA512
296043ac624a7d734f7edfd29decabdc19f1cf5bc2840c46eaa80c7edf6db00990fafcf24534f553cbdbe95f0e53c91ea0167112b6677a2a1cb13164bc0b8165

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
ab5e07b29ccbb0cdcc0d3ebed4c9fab6

SHA1
4dc7a23551aa17cf3dc88565a9476ebf860c4d82

SHA256
bb0dcf764f2a25dcff5c50cf93a359cf95e35a5f20b2aad4b630ed7c18daf009

SHA512
26b53c08d12dd8add4c77a7cd0c7a03344b4cbd94383d1532db91477dea6c238f25077cf46ef84cc1c24ea2b3bb93a860a412d8e5f47b4f93e4c35887cd6c918

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
77031887eaa0d7ed5437f00bffc3c8b5

SHA1
c3cb8606865bb1b6af62cf96ceec77d8ccec6666

SHA256
18e307b4bd0462d4388512c656d0ae4ad84b52c8150972fcb140266b7103db46

SHA512
5e2e97ff00282e05e4978b24f5dec246bdd6d8d2fa74a6e1122fa19df07cba8a962f538a7b0d1d293465010dcec8a3a31376efa58a259cd9d10ecfc8640955fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ee8fb56f2abe1b6858bfb0de9982f03a

SHA1
f7964243695b8b0615bb3bcb6cb20b69477ac8c6

SHA256
ca1801aeed42f2b491daf25f82d31286a0c7f752e3143e1d33f53410ebf68819

SHA512
36045b5f38557f9855528be3cdf8b27f3f21f5ff5f70932cd4e65da72a23b72291a95d29eab0a2f468f2dfcb1a99ecc062ce3e188d5afa24e9a52bc7f487e290

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e1e85df6898c94d3cbb950d26d1a1b45

SHA1
64f55564ad128849c780ead11e61a998980d8866

SHA256
eba9744c8ac67190cbece4484ef7a25753aa940a99fb86eb0b27f4277cb20c6c

SHA512
dac46526fc642c124871501642986fda96016acc0e46c2b25e01de61da42eefa712e855702a28aff6623ac7f73af3f7b6c8e155ecda9ff7e3b9a277e237796da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
290501cecf91af2c4b29b1af2f844dd6

SHA1
852b794ed978b1ae3e292d86ebd63f8ecb26e7b6

SHA256
7d8543643823b04ae4ee3a6cf7903bcf903630b9072442f06913eb6376e5efd6

SHA512
f6e6a6dcc4f7e0edd5a50acab8ad677ec50df4fea65d3451b096e2a6ff2bfb0458ee4fc244c8ad85a36a1be2eefb6148c8f39d08e29c703db52b08177a1bc647

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\storage\default\https+++www.roblox.com\idb\3140325527hBbDa.sqlite

Filesize
48KB

MD5
f68eae9668297041324d2dd95b9833cf

SHA1
c2e774097f5ee2e827f238bf60b7065515c3a69e

SHA256
db0520007aa54d78ff9e9cff5083c3689d9cd807a89528e46302c61861ead17b

SHA512
49e941ed14e750b4aeff263b89533b0e4698d9759c4d4e00962f4781e7ccfb086ad9db1bbae5ef1da8717271a33f8e4f30eb00cc8ce615ce40db3c59ad4c03a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\storage\default\https+++www.roblox.com\ls\usage

Filesize
12B

MD5
c2a2792fd77ac8605fd5fe2f3b5de6a0

SHA1
5789a86ea5c0f2118b7646ac4588b38d11b53d64

SHA256
53daca7f7ab54cec7cb1188176310e9734828f1ad3888bce910087ce79c0e0e9

SHA512
28d5e1dc99e417b58466afbb6eab779c3dbf7c150d69b0261fe2119d27b16b4b7bce950f87c4fb5140fb8f045f1a04e6edaaefc3ac17b083d27372e2f213cb87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\storage\default\https+++www.roblox.com\ls\usage

Filesize
12B

MD5
3ff97b962db97d2fd6523260cb095bc3

SHA1
6b4394b736867c9a7105170a1a3d385c31865aa7

SHA256
4901f166fdb3598ed36ef93f097a2eef8b38585dd95679e6c8387942bd7ff363

SHA512
d93b9fabc311f56b814b07e6979a4da80d81b28050492ca57e2fa6574e697f631df40d6f89d2925a355050b423b069fb924d80830faaed943a9972617103d9df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\storage\default\https+++www.roblox.com\ls\usage

Filesize
12B

MD5
49c17308bc489115e8a47d63e5cbb10e

SHA1
360637464294c00b6559ffcc4a40aeb096c31873

SHA256
229c4b8ab3efad14d448dee0e824079c1ba1bcaf35c0805e7085f9203c0a6e6b

SHA512
a5f212a793c039dd186333785b7815fd4739773ef81f449a837913f38c34d9c4a8d1ccc331c1f03eb5a729c233df26f51fbdc9cc3542e0ef78da53901d587e2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\targeting.snapshot.json

Filesize
4KB

MD5
0fcb139f993fb50bb2e841722c6ecc76

SHA1
9cee9b57f05e3f6148f2e45fb4c150fd931e0119

SHA256
8bdd3ff553539ba286a42ef821ae7efecf8ae484dc13003968ecb21a8af2e83e

SHA512
92a2abb7ec08cc6935cedfcb40333c0e30e4e03d05c1b26827b830062a4fd5659dfcea8eae7c1f6b76461331d5ff158cd78fe455ccbcf71795f939289cb6865d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerInstaller.SYi33_TC.exe.part

Filesize
5.4MB

MD5
cfefb36838560b726b44c5eb64bc55f6

SHA1
28b9646a5d6e9aecf4b6cdf6bb97fe30f18900f3

SHA256
eb02f21fab1f3bd916d086a5129c7d9aa39027cab9b61e93866e0bfb0724d85a

SHA512
732173841815647fe8d3fa758669afebcf9e754c93ed1722b4d4119d04f6a5297ca6177ee1c777b3302ff6f72a810a037b2d344c66ba6086af791ed8a50c9519

Download Submit
C:\Users\Admin\Downloads\incognito.O2ctCiFA.exe.part

Filesize
275KB

MD5
ae971061b9647b05d8fa0660ca1073b9

SHA1
b3ec58dc7275cb33e111d502acdf967cb9d1ab02

SHA256
bee4a3bc58488566f0cfe750875e7b344f9296905ebb0cb29feb00ad8b42c5bf

SHA512
d1318adb4ce8d2fc50e134bc9eb7eaa3c4b532556133b5f3f372238d1ff61a331ea5c3a4f644d1fdf53e65663f00edee8d69aea5b7d873e9cc7bbce691d247f9

Download Submit
memory/3620-4981-0x000000006BEE0000-0x000000006C0F0000-memory.dmp

Filesize
2.1MB

Download
memory/3620-4778-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/3620-4796-0x000000006BEE0000-0x000000006C0F0000-memory.dmp

Filesize
2.1MB

Download
memory/3620-4779-0x000000006BEE0000-0x000000006C0F0000-memory.dmp

Filesize
2.1MB

Download
memory/3620-5115-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/4376-5123-0x00007FFB0C820000-0x00007FFB0C830000-memory.dmp

Filesize
64KB

Download
memory/4376-5131-0x00007FFB0ADA0000-0x00007FFB0ADB0000-memory.dmp

Filesize
64KB

Download
memory/4376-5129-0x00007FFB0C870000-0x00007FFB0C8A0000-memory.dmp

Filesize
192KB

Download
memory/4376-5128-0x00007FFB0C870000-0x00007FFB0C8A0000-memory.dmp

Filesize
192KB

Download
memory/4376-5121-0x00007FFB0C710000-0x00007FFB0C720000-memory.dmp

Filesize
64KB

Download
memory/4376-5122-0x00007FFB0C710000-0x00007FFB0C720000-memory.dmp

Filesize
64KB

Download
memory/4376-5126-0x00007FFB0C870000-0x00007FFB0C8A0000-memory.dmp

Filesize
192KB

Download
memory/4376-5124-0x00007FFB0C820000-0x00007FFB0C830000-memory.dmp

Filesize
64KB

Download
memory/4376-5127-0x00007FFB0C870000-0x00007FFB0C8A0000-memory.dmp

Filesize
192KB

Download
memory/4376-5130-0x00007FFB0C900000-0x00007FFB0C905000-memory.dmp

Filesize
20KB

Download
memory/4376-5125-0x00007FFB0C870000-0x00007FFB0C8A0000-memory.dmp

Filesize
192KB

Download
memory/4376-5132-0x00007FFB0ADA0000-0x00007FFB0ADB0000-memory.dmp

Filesize
64KB

Download
memory/4376-5133-0x00007FFB0AE30000-0x00007FFB0AE40000-memory.dmp

Filesize
64KB

Download
memory/4376-5134-0x00007FFB0AE30000-0x00007FFB0AE40000-memory.dmp

Filesize
64KB

Download
memory/4376-5135-0x00007FFB0AE50000-0x00007FFB0AE60000-memory.dmp

Filesize
64KB

Download
memory/4376-5136-0x00007FFB0AE50000-0x00007FFB0AE60000-memory.dmp

Filesize
64KB

Download
memory/4376-5137-0x00007FFB0AE50000-0x00007FFB0AE60000-memory.dmp

Filesize
64KB

Download