efc8ed2815bb341e102d9160fe74c12e0fb1f59513b672e5ddf63911d300a014

Resubmissions

02/08/2024, 19:58

240802-ypzeqaxglp 6

02/08/2024, 19:46

02/08/2024, 19:45

02/08/2024, 19:45

02/08/2024, 19:44

02/08/2024, 19:43

02/08/2024, 19:39

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxStudioInstaller.exe
Size

4.4MB
MD5

96054bd5385aa4720717cd4085b91f25
SHA1

472470578ce8706b17b7ac6148461da9dd70eedd
SHA256

efc8ed2815bb341e102d9160fe74c12e0fb1f59513b672e5ddf63911d300a014
SHA512

8ffcba01e51782c4c946b73303d2cff4105c2f7e465100c9cfaa5ae96a7cb51a6c22020c43402e4779053e7e3e1f616b374c7e019e8b089349b46e75f0886615
SSDEEP

98304:4VvqeclcRUVPFZnGJTVgqekkbOcfyzmCQTqVLarbhh/C0S:iqeQVH8gakLpqlwK0S

Score

7^/10

defense_evasion discovery evasion trojan upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002b9fb-244.dat	upx
behavioral1/memory/4916-251-0x00000000009C0000-0x0000000000DA9000-memory.dmp	upx
behavioral1/memory/4916-968-0x00000000009C0000-0x0000000000DA9000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxStudioInstaller.exe

Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\textures\MenuBar\icon_chat.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\DraggerTools\Light\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Light\Medium\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\WidgetIcons\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\Settings\Pages\ShotsPageWrapper.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\Qml\QtQuick\Controls.2\Material\Pane.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Dark\Standard\RibbonCheckboxOffHoverSmall.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\FileSync\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\textures\ui\LuaChat\icons\ic-chat-large.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\PurchasePrompt\Actions\SetPurchaseFlow.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\DeveloperFramework\Dark\Large\Close.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\Localization\Dark\Large\TextCapture.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\textures\DeveloperFramework\Votes\rating_up_gray.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\textures\ui\ResetIcon.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\textures\ui\Controls\xboxX.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\InGameMenu\Flags\GetFFlagIGMRefactorPlayerContextualMenuGamepadSupport.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\PlayerScripts\StarterPlayerScripts\PlayerModule.module\CameraModule\CameraToggleStateController.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Light\Medium\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\WidgetIcons\Light\Large\LocalizationTools.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Light\Medium\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\RobloxCrashHandler.exe	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\Settings\Pages\ShareGame\getTranslator.spec.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\TrustAndSafety\Components\TrustAndSafetyApp.spec.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Alerts\Light\Large\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Dark\Medium\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Utility\Light\Standard\CheckboxOff.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\LoadingScreen\Actions\SetGameProductInfo.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\PathEditor\Light\Large\Path2DAddTangent.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\TerrainEditor\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\textures\ui\LegacyRbxGui\popup_redx.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\Settings\Flags\GetFFlagIGMv1ARFlowExpandedAnalyticsEnabled.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Dark\Medium\RibbonConstraint_Plane.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Dark\Medium\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Ribbon\Light\Medium\RibbonPerformance.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\WidgetIcons\Light\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\InspectAndBuy\Actions\SetCollectibleResellableInstances.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\InspectAndBuy\Components\AssetDetails.spec.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\PlayerList\Reducers\GameStats.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\InsertableObjects\Dark\Standard\AudioListener.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\ContactList\Components\ContactListSearchBar.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\Qml\QtQuick\Controls\Styles\Base\TextFieldStyle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\Flags\GetFFlagReportSentPageV2Enabled.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\ContactList\Components\FriendList\SectionHeader.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\Qml\QtQuick\Controls.2\Imagine\ToolBar.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\PlayerScripts\StarterPlayerScripts_old\ControlScript\MasterControl\VRNavigation.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\TerrainEditor\Light\Large\Smooth.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\WidgetIcons\Light\Large\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\WidgetIcons\Light\Large\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\textures\ui\Chat\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\Toggles\Light\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\Flags\FFlagUseRoactGlobalConfigInCoreScripts.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\Navigation\Light\Standard\CloseWidget.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\WidgetIcons\Dark\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\textures\ui\TopBar\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\FileSync\Light\Large\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Shared\InsertableObjects\Light\Standard\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\ExtraContent\scripts\CoreScripts\Modules\Settings\Components\Blocking\BlockingModalContainer.lua	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\content\studio_svg_textures\Lua\TerrainEditor\Dark\Large\Ramp.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-aa7aa2777dc64b37\Qml\QtQuick\Controls.2\Fusion\PageIndicator.qml	RobloxStudioInstaller.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Executes dropped EXE 2 IoCs

pid	Process
3800	TLauncher-Installer-1.4.9.exe
4916	irsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
4916	irsetup.exe
4916	irsetup.exe
4916	irsetup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxStudioInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher-Installer-1.4.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 811693.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 615483.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1532	RobloxStudioInstaller.exe
1532	RobloxStudioInstaller.exe
492	msedge.exe
492	msedge.exe
2980	msedge.exe
2980	msedge.exe
1808	msedge.exe
1808	msedge.exe
2340	identity_helper.exe
2340	identity_helper.exe
4776	msedge.exe
4776	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3800	TLauncher-Installer-1.4.9.exe
4916	irsetup.exe
4916	irsetup.exe
4916	irsetup.exe
4916	irsetup.exe
4916	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2928	2980	msedge.exe	86
PID 2980 wrote to memory of 2928	2980	msedge.exe	86
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 2824	2980	msedge.exe	87
PID 2980 wrote to memory of 492	2980	msedge.exe	88
PID 2980 wrote to memory of 492	2980	msedge.exe	88
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89
PID 2980 wrote to memory of 3996	2980	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\RobloxStudioInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxStudioInstaller.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd378f3cb8,0x7ffd378f3cc8,0x7ffd378f3cd8
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4276 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1236 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe
  "C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe" "__IRCT:3" "__IRTSS:25232289" "__IRSID:S-1-5-21-131918955-2378418313-883382443-1000"
    3⤵
    - Checks for any installed AV software in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12673575150989317658,17674252881673270050,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2772 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4484

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3568

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1408

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
24.1MB

MD5
79673d0cd668ac6e4ecfc7dcc4db5b23

SHA1
0a576f857765e759f582126f099b0c04c6c6349e

SHA256
8535bf7f8914c54823a1b57e5977c84add0caebfc967567dcf13f8fd843b8b1d

SHA512
a9d1c9d47cf67bf80a60c6250cd84151551e549a1ff179faa62381260d03d531dbd5b1df2bc83a43f71ab5a699aaf593ba6606416e3c8957b6c2fa8e3863f8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
360B

MD5
5154aaa5d111d8a207478d998f108069

SHA1
ef0fb9fe0c699f7a876212f51cf5aad3e649d0ab

SHA256
84ac0bfe511ec84b1b3e2a4a9562c32976df566296f22563ae0d942db94a24a9

SHA512
e5c6ad8b1dfa907390e17d6e02662da70bc5b9bdbcb504bb60396ea552a1cd65708c4356d78f7c2582ce4a3b0cdf41b9dabe62a7a5030a84cfca68afefa9ee2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7df6b9d5caa2bf8d713078477d8bf943

SHA1
1ab19e4498b638ea56a333533404ad91f7c82072

SHA256
2e4839678fe0f7dd0229be42c468cf994c0d30bb44211729ae1c890f10c49f2b

SHA512
a185368a9baee833c6dfc311dc17f3b0eab68330d45c9d5f248d58bd0ceddff853573719c4fecb0cd578019f7b7cb3b8861ad62ff834a00f4a240791e8a2db0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
54e18507c0eace2f921527ce46f96d5e

SHA1
d5f67603d98dbc12e4a62ce5f02efbbaf0ac6d3d

SHA256
276f55d86de687407ea0254c17afbc7d9b6d2808f2996afec16082ef821e1232

SHA512
37facb1deef886ce18cc226b35124fe3ab76489e074a5fd1802a2437b2c165fdd5b564002267ce58c3e3f23c99c908e3fd529b04c7622bb48a8a4737d7cd98a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
266baf763ea73dcb9aaf347003c7c75a

SHA1
3d0987e804f19592e13ea0565f8ced6a5c126132

SHA256
1d8df3db608d3e5eccf4ed4b95b7dfda080190a960c490127f0710097a80db6d

SHA512
00a7ee2cdf23a9dff1355d948d5e29f86d668c4055312eea945c52b06619ce7e10cd962d0d96a3104435d8d26ef9709d93424dc825ec0b109c695d96e84949a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6645a35268f1d57c2792ade85eb4bf96

SHA1
1ea1e44924c782c85cc08098d43799a7a6b119b7

SHA256
05dcd2c428c1bd04b5faeaf96543307b4d1822d95956c9d422937645266eace4

SHA512
de0d914285fab3f19c2be06a4b5fb49ef647dfeed1e5ad95771a7c5ce1e01e2f3a75939ac2c40adee65347e754d8e21bc0a7bb202408ef3715f12765553ce971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e20a7cf544d361ef25fbfbbe61bd4a01

SHA1
eaeebf08634e760d324e792bb65cdd5d832921d2

SHA256
839a9644ef5381e4a578323cbb32b28b15dbf1584d3a1aa4dde54bf2617f8863

SHA512
b088578524309fc050e4073805d4881e2b1bb719b5ab852ea5011824f518678208e22fb80c5637a1e52c532c60b7a85c49a2d0eca78adeedd3fc114a7315f016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583a83.TMP

Filesize
1KB

MD5
7a908a37b486cceff8838e1bc25a7608

SHA1
4fc67d71a73f5a3c9173b63fd2b776dc4cce16da

SHA256
0db0e03368e500c0ee661ce90a3ff5a9e505d372705fab951b0c334e55c22270

SHA512
e1b70e573dc2341bb6a037f845ec8e3763758bf3fd256f5dd5000743730b2664a7db44eea6caf8983cc52322b51337bfc96dabd73f648a88a2a5c7a97f483c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
67ddfded28c945b51af1cbde491d810b

SHA1
17e362341963970095e0c1634eea97ec717ea9f5

SHA256
0199d38ab4a153e5c49a5612ba054ee2441ed52a46673fc42a600f216d078631

SHA512
70331c6be6956a418f744958ac13f4df1b8eed16a708b932ead9e9a13bb1db836ace5d1c801daed7e08a4c971e24b072a5202682ce445c5f59f5358856ed9fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4402228916b5471c46e97d3c2e8c4f2

SHA1
2bdc0af16952640ecda3dcf56ce29c25d82ae850

SHA256
ad64108d572f7db943dc0eb8755b7cfdf16fb980fa80b82ddfb9a1d0bca42f29

SHA512
a4dd5eb65cf3ff09190e680194e6f765adac15ee8e9a67d95981a59a31c259d50f43645bcaf2ae2c454bddadf0b59461bf22b4aab9facc5217a06e2deb3dc7e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-8-2.1948.1408.1.odl

Filesize
706B

MD5
5fcf518f27f20f0600013ba03193ef50

SHA1
e781eadf3bcc28c4734e10bcd4cdf37f2f7c6c31

SHA256
b4e5c09c036f64f8ab6571600daeb26da877b5d434b067c698e86f6eed9ce562

SHA512
63bec5473da9e39dc581247191ff39e444c256a70a5564d94f90647dcb1c3df58f71835f6edd9068e06963a3e5499e562ffb7fa20b5c0c33360dd7d894780bc5

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-studio\24591f85e9569269a3b822d0da2e0626

Filesize
5.5MB

MD5
24591f85e9569269a3b822d0da2e0626

SHA1
62641ade4943b93983b4e59ffd6ee4dcbd77c17e

SHA256
d29bcf294dd77568fd173adac8c705d991482d645127baccb7efca20f560a5a2

SHA512
d0bfe43ece2c598a12fe7d3f2cd12e0685b639aec0fc7a1bbdf0829b886c22208e4236500d8e6540d7faef1514769b87bbdc666602c5548649e50aa61f2077de

Download Submit
C:\Users\Admin\AppData\Local\Roblox\logs\cacert.pem

Filesize
219KB

MD5
1a4af016c683d93ebfa916f641da64ac

SHA1
c89c32b9620917d1cdbf34fb5b03f1a595e48e3a

SHA256
9483f4bcc05eea3c5929627130b8e574fdc850b4fac319d7e98c4f68c59a3a0f

SHA512
3b2ca0d5d0bdee0d060d50c71c88c9c7d35c9d0f0956b135ca6ddfa2618feba5774fbff2ce866f18ae20b90139e0c1eb8bf4087ac9337498b733d0da434d3eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
f3b300079862aff353b412d490bf5abc

SHA1
b61ad13daa7d39a02aa1329788ece0737390a45d

SHA256
c052cb74d9b0ce37efba9c018b5bcf74c51cfbdcaf990ae53cb9772ea318945a

SHA512
d6e02701ec0990fd9a4b0e82ce69048a35ac114e7515ed2ed6a445ec9f8ad9f98287491e087a269b3e973fb55da360e2df1a516a9fa850c68cfcfaadacb2fbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4916-925-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4916-251-0x00000000009C0000-0x0000000000DA9000-memory.dmp

Filesize
3.9MB

Download
memory/4916-969-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4916-968-0x00000000009C0000-0x0000000000DA9000-memory.dmp

Filesize
3.9MB

Download