Analysis
-
max time kernel
299s -
max time network
290s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 15:37
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbU9LcE5kbmYwVWNGd3RFbVRkdFFEY0hhb3FqUXxBQ3Jtc0tuNmRMSkJUMEZ5RFZnSHdWZng3LXNzVHFuNVhGSUFxVzl3a2JzbHFMRk9LcGoxeUhSUE50aVRlUnVhdHpWdVZhQ21Pd2U5R2hIVnRxS2MtN0g5SEh5UjlkeDdSVTBHX0VkOW5fMkEtRURfaFltNUR6QQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fhyq6t9swctebw%2Fd&v=1cGqgO3iyu0
Resource
win10v2004-20240802-en
General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbU9LcE5kbmYwVWNGd3RFbVRkdFFEY0hhb3FqUXxBQ3Jtc0tuNmRMSkJUMEZ5RFZnSHdWZng3LXNzVHFuNVhGSUFxVzl3a2JzbHFMRk9LcGoxeUhSUE50aVRlUnVhdHpWdVZhQ21Pd2U5R2hIVnRxS2MtN0g5SEh5UjlkeDdSVTBHX0VkOW5fMkEtRURfaFltNUR6QQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fhyq6t9swctebw%2Fd&v=1cGqgO3iyu0
Malware Config
Signatures
-
Meduza Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/2084-437-0x0000000140000000-0x000000014014F000-memory.dmp family_meduza behavioral1/memory/2084-442-0x0000000140000000-0x000000014014F000-memory.dmp family_meduza behavioral1/memory/1596-763-0x0000000140000000-0x000000014014F000-memory.dmp family_meduza -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation RobloxBreaking.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation RobloxBreaking.exe -
Executes dropped EXE 2 IoCs
pid Process 2084 RobloxBreaking.exe 1596 RobloxBreaking.exe -
Loads dropped DLL 2 IoCs
pid Process 2732 RobloxBreaking.exe 4280 RobloxBreaking.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 291 api.ipify.org 292 api.ipify.org 327 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2732 set thread context of 2084 2732 RobloxBreaking.exe 128 PID 4280 set thread context of 1596 4280 RobloxBreaking.exe 161 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1256 cmd.exe 3456 PING.EXE 4008 cmd.exe 2720 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe:a.dll RobloxBreaking.exe File opened for modification C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe:a.dll RobloxBreaking.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5164 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3456 PING.EXE 2720 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4912 msedge.exe 4912 msedge.exe 1704 msedge.exe 1704 msedge.exe 2376 identity_helper.exe 2376 identity_helper.exe 800 msedge.exe 800 msedge.exe 5444 msedge.exe 5444 msedge.exe 5444 msedge.exe 5444 msedge.exe 2084 RobloxBreaking.exe 2084 RobloxBreaking.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 4952 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3828 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
pid Process 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 6112 msedge.exe 6112 msedge.exe 6112 msedge.exe 6112 msedge.exe 6112 msedge.exe 6112 msedge.exe 6112 msedge.exe 6112 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5836 taskmgr.exe Token: SeSystemProfilePrivilege 5836 taskmgr.exe Token: SeCreateGlobalPrivilege 5836 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 1704 msedge.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 5836 taskmgr.exe 6112 msedge.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 3828 OpenWith.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe 5892 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1588 1704 msedge.exe 82 PID 1704 wrote to memory of 1588 1704 msedge.exe 82 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4716 1704 msedge.exe 83 PID 1704 wrote to memory of 4912 1704 msedge.exe 84 PID 1704 wrote to memory of 4912 1704 msedge.exe 84 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 PID 1704 wrote to memory of 2652 1704 msedge.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RobloxBreaking.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbU9LcE5kbmYwVWNGd3RFbVRkdFFEY0hhb3FqUXxBQ3Jtc0tuNmRMSkJUMEZ5RFZnSHdWZng3LXNzVHFuNVhGSUFxVzl3a2JzbHFMRk9LcGoxeUhSUE50aVRlUnVhdHpWdVZhQ21Pd2U5R2hIVnRxS2MtN0g5SEh5UjlkeDdSVTBHX0VkOW5fMkEtRURfaFltNUR6QQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fhyq6t9swctebw%2Fd&v=1cGqgO3iyu01⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3ab646f8,0x7ffd3ab64708,0x7ffd3ab647182⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:12⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:3876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:12⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵PID:832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:12⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:12⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2324 /prefetch:12⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:12⤵PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6824 /prefetch:82⤵PID:5496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:12⤵PID:5504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18347449428726997813,4274898350563264113,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6704 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5444
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4956
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1020
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3128
-
C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:2732 -
C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1256 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3456
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\Serial.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5164
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3828 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\bin\data\FLEngine_x64.dll"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5892 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6EEB6CB78C7E5382622A1DEFC6B0835E --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1224
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B62B5EDF713A71A7214E5C4740726E8D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B62B5EDF713A71A7214E5C4740726E8D --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF79BBAF0FBBAC69AE44868F41F423B1 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:6112
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B3C9AB4207AB3587456EBE985EA89F9F --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2092
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C9B8AF5EAB3C18BF2D04DAA26C19A31 --mojo-platform-channel-handle=1928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4836
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FABFD13E6A2C3FB1A0DD8E9027D4DE0B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FABFD13E6A2C3FB1A0DD8E9027D4DE0B --renderer-client-id=8 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:5316
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2416
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:6112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd3ab646f8,0x7ffd3ab64708,0x7ffd3ab647182⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:82⤵PID:3468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:12⤵PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4180 /prefetch:82⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵PID:5924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:12⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12263262809923383092,13275672936116449143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵PID:1348
-
-
C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4280 -
C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\RobloxBreaking\RobloxBreaking\RobloxBreaking.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4008 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2720
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
Filesize
152B
MD53275b79e8797a6cfe50c388b3db6faf1
SHA1dcb04fed985c02893d5f19cfdd6ad4eee58f84e0
SHA256337f1ea425c4f124eaef20cb9bf3d04657b0153ce1f6719557fdf60926e53135
SHA51226489a45a909cd1791053a922e2212b9d475c22635d118bba47a8e42b824bbb4b693306a6436f63fe8b6ec85f143f15eaa0a2427ee9534b49e1e00f0c0b702e9
-
Filesize
152B
MD531d9f16f84dab4cbc0db6b2c3339028c
SHA1c06f136434affe4becf173ae187cd031ef42e307
SHA256f84ef10c06c0d9545bf8b3616d9ea09f69f191174a2df99d13403701cd96f5af
SHA51209552c68d3e9b6d6074375b3360e48634be3c88af737f375d420db2c09b1c760777e37166ed0ee4fa21252297dc4ee8e8cbbb56a87ec16dc91e9d1774fa2bbf5
-
Filesize
44KB
MD5a71b14d39b117a7680130ff0d878f6e0
SHA1f54b17916a3258623f5ba5cd4e0037403160ff1e
SHA256f2e94c2ae944ae3d29c8bfa8b36567e6c061faf2cc01565e45fe895672115ce0
SHA512979829245a6a87ebb4d4e11d7e506bd4822abf1c166eae5a1003631e39d480cd4b0c9c1718056940eaa484d91f9a07d966da6f20051433661f9b04a6cbdf75d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53f974c5552e97431a687da4bdbd75e20
SHA1070220c4447f561473bd33ea23d90a9af28b2efe
SHA2564d201f681e93a9fab13ae40119811ea3496309a7657da2fd5e735911433f1117
SHA51298a2f829cc0c0d1d8bb0f1fcdce09e3b7d569a0b981bedf69f94d6caffa55df88368d15d6cd521ef9587d8a4ea7dbd76674d7a70efbd1f700813b0992ec03a0f
-
Filesize
36KB
MD56aaac7d1a7473299383c3a8f5f117247
SHA11700364ffe6f2b5e3e83e5da58b501606edbc93d
SHA2569e9aacdbd4b12777751af4bb6e719b0d3c1eee7a1c62754e8d47aa134da477c9
SHA512635a78f3a7eb581a7de1b069a8a288984b2bf657abed12d7f4534601367e8c8e7fb4f6643aa72d424aa7094bedd38777c5aa987eab87cd516c5bc3256dc6d0a1
-
Filesize
36KB
MD5c50ef561f743dba9c7818e7d7c3f0b6c
SHA186926f1a9c32857dac6462a74bed82b74d9648c5
SHA256b29f2f427b32d5214d699003e94c292f974fa1153590d56e0b015a16cd15f677
SHA51205606e4d09b9d75b83b198f3be8cc59e6cf13cc7d1ce42de17ff28edf691c261dfce1217c0be4e1a470faa7f761e58732be1ac7e77f68280740f30a7a997e087
-
Filesize
20KB
MD57925d3fe58bcbc88d3af046038c3e549
SHA115433208e55d47a340dbce6b0f2a1347f2fa4f7e
SHA256f62a193a5b05270dee85eb8465b54cf6b6dd46e534fa55f8a822904ed2968792
SHA5126b3f25e47bb7ed25d73e8a4c0932b13cda909766f382feec428ea3fd17372b3972607c52e869aac05bdaf4e790af06729842c6ebed78cc890cac58ce7e62a2a3
-
Filesize
264KB
MD597787f5773fa74284d07ef62817aee5c
SHA160047044ff1f42f0a9cbe706d04b583119652f42
SHA256f850eb7656f82d9702a5cb87043cc76c8448b577ee3dcd56f7822cf1b78c0d37
SHA512ca8976fccdaa5134856aaad2dbfabc582f6bdeb9ca52acc1453793e9bd8e7a35b9590fd76b2813db786078ee2632e1eb026fb30bbf6d965801924bf4b53fee56
-
Filesize
160KB
MD58fcac13e3d4a48725ea61ca18bf562c8
SHA16ee1e73c586307be22933744f0a9ed80edc57f03
SHA2562cd76f45dabf5922fbdb3c85b948b287e173977496dd0f19365f364d1d83a8e8
SHA512a2c4bb25b0e6ba98f1cef3aed643f2b126088ba31ea6fc9488e686aeb87031b5d17105ba35bfb2c6d5e63595779aead6e9c8a1ef18cf17111696055d852e0221
-
Filesize
160KB
MD5df1df97c52dd12e33b403c167f900bdb
SHA1959171635fb08a2a863ff07a453e4da04d45ed69
SHA25600bdd4057697fac959ee905746cf2a5277dc835410275280f5c588d39bb39343
SHA512a199a1cce09001864709e33f0b83a4c27f123e6c535cc7d4b85f0674d1a5194f794013126edc717a0b0c6229b10a9a5efd78fceb3c8f877ac8af6d65fd6b8504
-
Filesize
18KB
MD5223df455ae9d7ff6c37bcd269670f585
SHA19e850fc5e63915551f2467f24da22fc8bc378a24
SHA256fff7bc3ae0ef9b481de08e4be8be2d5064cbb2284ecb0a2b48c3ddc01aa71ff9
SHA51269f1a6f8ba51a48edf2c818d43cc0894448f28fc3edc0795bdd730f12d9aa4aa77909e3c9e9f24b4bf145117f0f7b5775c54591d4af43591bbc85eefe1891b8c
-
Filesize
3KB
MD51a8d368280c5bd241272aa041695c47e
SHA1c07d87ecbd895976768c8b53d9e99fb0418254c9
SHA2563b779935344633397841ea0e8b726ffb986b16da5c34661a9e2d713f9f375ec5
SHA51245fa01c661e5783a3e2567c5043ed441b719f9ac90816b7c8f56b482ee7814d2442d38bb5a0941ef6bc1603abc8a5227f4be0cedfb1a58b08d99c042dd304acd
-
Filesize
331B
MD58c5898ddba031a67e2e4f495b9e55f22
SHA199c128714d7e468245481f409007cc13d377843f
SHA256810fa6d528a41c3d4558e59d2e09e0a5f263eff58a4ea82fc73d9d513ce99fab
SHA512525781eefeae0729e0b51d665b75f8c1df67635f335c2ca3fcf8aba9609200e5b2ae09619b1853a58ca8dab7b1df1cee1e8ab77b76c3e837826da99748a06372
-
Filesize
8KB
MD5dc915fd7b677ecfa204dc34dd92c603c
SHA14b40bfa8e3b09d0e2ec7e2e0219d15daf6652cba
SHA256972b385d7eea75c24df2f356ee90ce83156652daf6ec207c42d258f343696967
SHA5121db81dfe5663ff04484fdce82f88ae447683bbac74286e0e6e47a54b2db3594df3dd76899876a668070054b53456d73882cfbaaaf5d7a722111b93a41c1db307
-
Filesize
7KB
MD5f0e35e23bd7ea475504b67176b21a765
SHA1c7085ef102f36026e209298ac85b594941a79ca5
SHA2563c542614aef168e95fe18db6bb51e83d63f48fd5f8f7a91e6f94b8347785329f
SHA512a4ccffafe3f0fa814164d6478ffc121d9ffdfc4a74c5604ae8c74efeb83fa9293075c44345f676db1436a3dd048f9f4dcd072b69c8eeb41e6a43d7132658206c
-
Filesize
8KB
MD5bb0defebe4bd046ce5b0edd984f3d9c4
SHA1304f405e96c03ecb53d715b2b8eecb734241a867
SHA256cc6a08a672c1bb8f047da5b14a93712e63560e40a9187126417634f03d9fc5d5
SHA512e3ce0d69cb2b487a76e14415cd0ef29f55ce71ac2f0ea79807acf45b00aa163b061adcac215725f55555947c4d40a855383c41a9f94abaed3273b9748d73c421
-
Filesize
11KB
MD551ca0aaed102473a603d60d64b8b803a
SHA1cdb48f537c1cc2df1f4cd020feb1799c7567fa87
SHA256a4cdb3d47177ae78f4f4e93b4eaee2d7836153749ac38786005673feecea68d5
SHA512d6a76dde4939ec286e56844102b936b6154478002ca56d22c82b34c69f1174354c8fe6ecd28ab25f47d1a6c896f140b9560e399af66a5827d525e49c2aabeab7
-
Filesize
11KB
MD5fc36505d02e1f1a04a8167bf7d1e97ad
SHA1974c8bbe2670269406a840aea4f3752393e64ffb
SHA2563eb0c6fcd8d05ce649d7c48fa07dd2ea0e42f4508732d7863f230a8f5f1f51ab
SHA512c5716e417e248ee459f7258fd1cdeb5cf5951def508317cfe316135f8cb36ebc3934884aa29a25a1c297b57afa97e521eb5f94aa4087a65322fa68b02a6d8a5d
-
Filesize
5KB
MD52a289ea0dcaeb0353935303aa84ccf5b
SHA1070551714a7662986fe7cb33d3b3bc17bc0d87d7
SHA2567abde377df6a4a5c419ef64bc7a5305d7d8205e85dc3f829c37a3d22d7924703
SHA5127ae3075681358eacb60cecb33f9c5ff305cfdd19c2f2a42a318e17cded2d1aedf6813a3f86c489643a04cfac5b7cf5ec96ccb67603321854340912d529fd8f5b
-
Filesize
11KB
MD57cc097f8725ab7fa1983be2075210865
SHA1772da39399558ba3469bc41b6cb0c052ae5b5938
SHA256799f3596f25335861737b70eb6b8f0090bf849ef6f9f42522e00be657c7cbabc
SHA51203657830ab68745a97dfd437022f8034bc6d8b32286ab4c7edeedab68ea670d36e358a73c518be4f68d47c01aaf76c7e5e57b529f56d19afaca98b4060c17f6b
-
Filesize
7KB
MD55f852f9c060e9be9a49dbf1490dd2d55
SHA117bf0e1bbc5de34b346fe74f43575d68dc941cef
SHA2563793be04e63d46d2967adaad40d5ea027ba0c160807d539b98587bdee4940b33
SHA51293f9de5c06765c308e5450c9e3b509956062ea44cc7679b6f045dccb8f5fdaf327038e9f1c4347429e11af87f1fa5bff10d2df7259f50d8c3dda57cfd71fc519
-
Filesize
6KB
MD5defbff7b03fe645fc78492b39715b144
SHA1ab92a707a4a55c1ae7dd2c1f50e63e232ddb08ba
SHA2568a49e681ae0c9f32fa2666c34743698d06769444995c4f2778d44ed822b6ca90
SHA512a40a3bc0c5758ab2e6479d72a1f6cecabcc5283d2612b1e2d827ad9a57e881cd420f8cceed902874e461dee78d2e322f0069c8754d0bf8ea773a5a48c76b861d
-
Filesize
11KB
MD5ac349f93e499544caceff6a840a28d11
SHA166ccb08f2c7c9b1c00a9459dcb73fefd781670c8
SHA25679a4bf21f06fb2e17454d9d22287960dfd8ef7eea741de294dd20f58fbdddea1
SHA512c8a13e57b57881a91900f26027f4846d30c08a4173f1e2299c36840d2196d1882856422379d0fbad63cc741078f02cc01c5f6a2556695da8d54dcb60ee89794a
-
Filesize
1KB
MD58e789c60cc3d68a8848e169610e1c1b2
SHA165c46b72629154307fcb769e142895ac96682102
SHA2569e00a6ee34fb4a895ad882bd26b6f4fe85d8ead78fd4c2f50cb5e22d15f6163c
SHA512b234c0b176cd4010a4017baf46cfca43b7760d7982f21a781328d47ab44273708655bb014624d907aa086e0c53a1992e81def7a1e9dba39a1fc54fdb5481e60f
-
Filesize
319B
MD53d73ec41d648086e7439f425e8f79f8c
SHA1a49830e4efbfe06b9092684c38fa967821242313
SHA256c2be4f4f81c396387180ac41bb1ff7f0260f32f36c859cdb24cdcefda201b088
SHA512e379b34611444bcd64e2b5c297602c492a5c01e59b7334423f827afca3a9c9f5468d30d6dbb1f97422a0cfdabb1eb6a12e92a1511a0c0fcde278b6195dbc4be8
-
Filesize
59KB
MD57fc3210ee676ea4d3287182b57879642
SHA1c86edc1a5ae2496d597214ef7c907d06bef7d863
SHA25695b7a131114a012765094215e038db6ed9f1d4a64d269298c80c75d5752c4783
SHA5120a5f85f839cd4803856cc4552c2b621dcf2c64d7d90a2415e838b82abf9aff9296f7f061df2f70430075894656f282cb1fd66584580adf3717e8ebd4b9d6047b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize175B
MD5f952c73ef73d731f456d95a01f0b0a5f
SHA10fe4f06351fd5015e8d3343c8341fb9b496a8741
SHA256bfeb5b854b7c802a4136711958a0bf49d8b9a344f5475c3c96c318b351719043
SHA51272916a90aff685083672577a34eb86a02cbbb1141646fa00c5a662842c715304c8c024f0b6f60df5e12e24b7ea94a5c9457becd61e6767bebe91f2c0e7c9971c
-
Filesize
350B
MD52b0211224039f023154a527e498f3d32
SHA18ad997c779d6c2c86d59a11c0536843c96ac9b82
SHA256895e97bc4db0d7ea4f01ced0548bee28b539c17479c823a9d5c96805c832f13b
SHA51209162bc666446d51214e3837384109618a40dba42273a7e9533dccf5a8275d35d3621f969e1f5b94e47ef18d1061d791142d2e1c630ab1afbf8b0e652525c49b
-
Filesize
326B
MD5a2d5236bfded2cda63966025597d2c33
SHA1a1b0ba1b6dcfd0975a61a2c5d49336654b24250d
SHA25646f8444e72ec0bfa70208850c2e85a573881b894f83fc55c1e1156ec9b8350c4
SHA5127bacf71cd226c63e5d4f989d37320fc59629d81893d386d71dfa2c75ed58e89955208a8e616bd1efbedd4261cbc822cdc5dda89c6e91252474615bd33f246afc
-
Filesize
2KB
MD5dd8989796520f8b5b9c938810dde9e03
SHA190b0916866901428e2793e4c84e655ff402aeda4
SHA256d894b5099e1b13a27bf26cd91da8b959867703bd10ebbbaafb76da796612475a
SHA512988e153ff119e657855b353810c43fcce974758ab3ab2c316d2ed344c993592b216c4f77946304a2085780504a08623bd0fc40bae121ae4674bb2c3f0457e4e5
-
Filesize
1KB
MD529fa5eb414e8b8e610352ba57b4b5dcf
SHA14ad62e4aef3a9017e6fa93c1c34a2d8fd035e017
SHA256e7065df18d3003ab22d7d85cbe78feacccdb303839a3fb426a94ca4e6df8846e
SHA5125b985782673cdaea55ffef72041b4431a8fef42f130fe493071645a7583129c40ad0d423ea673a649df12fd3ec2be8c78b35534e9a1479ed5a3848f1292f43a1
-
Filesize
204B
MD507e416c34f629d5057c829a1f0812841
SHA157790d38243ad5eef4ca640ce3859f46afe3b1d7
SHA25657225001397dcacf03ad8b7f89250a9d8dc1b87d4552719dc89ef6efd3fd0515
SHA512facf3237429b594f3612885a6b2b0507da5c4cbfaecbcacad83babd9bcb47d7e2fd51c7b2b8e7b427413145bcae4ccd80bbaeaf5f5cb7ad1e64128e20e2eced9
-
Filesize
128KB
MD539067cb674be511129a6b02dd3b38ec1
SHA151807b158a45f316d733f69e05ccebbcbd0b57e2
SHA256018a0e52cb1d37511538d8395e43cf0c63d7bdf97ea13031b6e5c67e3a9bb16a
SHA512c67eb9a9ff8deddcd70b496579ef078e4a920749e264682233ab94971b8824204590c57dadb1bd8f94173b812d5091c740c060e7da90fa4e5135ae6799a884ef
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
92KB
MD588b6bfb8264bcedc47f75f57844f2062
SHA16b76bd8977690c23b0ca63c696968175058c040c
SHA256966d3eeaeb731efbf0fbb0ea9957af9d4c7aab61d405dc834a377f0980b489b4
SHA5123f182e83511932af0f2be79552c6cfbffb5af299430d224e221ff8abc80f865b4a0c49742da74b2520aaebd3065a1f7e0f65c249cde03acacbf6b03d88791b75
-
Filesize
3.9MB
MD503377e8e7be951ce6f39f3d982859f25
SHA109fe289234fc96e607bdacc51b4af2adb78b0882
SHA2567131f74f0432dda95aedddef40c39a32ad41d203f2d0c8866c30858ae997f1fb
SHA512070b2e7ef5031ede410c3df0c4dc210d99e9a3ffe24d2b4ceba44c4f5fb4560627537017e208d5d78dcfb7e527b43f3e91c67fd0bb802ce6cefc8ce9e1e65028
-
Filesize
129KB
MD5b9d1138ba331ae10ad7e31c69fd93f4f
SHA1eef367de77b136b368bb1be0a9d23c02f2330bdf
SHA2565bc327fe0ea95280a42936497962b98c9ab7eeaaa51a1ffc32a0432d7140fd04
SHA51274cabdef8bccfc33d64df43596208b695b5a723e69051e921e6e9c0140fb9b6f725815cd4bb9a4bd81ceb24081aad70487547bd1274265c6dfe608a1255a6be8
-
Filesize
322B
MD5d2a9d2126903bbb20bfe8d8f4a0db331
SHA15f48c171ab0076f677678f36771507a006c75bfa
SHA256e9f3c9ce62ecc02450c4b7d65a05128de926139b33daa3f37401a976fa1c9481
SHA51256b99f7d920e673a37c55d2b75dc86a800415c7fdf6b23a2379f0281aac2c5ea4feb8a1eb8ca0b0b276863e11c4c222da98c3250fec07f95cc7ae99e4b28aff5
-
Filesize
565B
MD5ff788109468a3917e6e3d9c7fb83e710
SHA175a6da00b2bf6e961e6c7d95c82153b109be421c
SHA25683baf10cb9b0a26440f5b4365ba03d321745eb7a502a7c371eaa8300ae8c59d3
SHA51262a0e43bb5be410a77923da433d0905576f9d2271ba51255a28f03563cf6220da9b879cebc4d4a32da905464f78a2e6750a6825218c44ea95fd0f2a775426208
-
Filesize
340B
MD5a806c59b524e43c65e0f53f60b20cb38
SHA10060281465ca15a3a9bc06b232846ad9f035a61e
SHA25650649e54fa9bcefa55b92c68fd7c296e6302ca98bb6753d6cd0359ef1cebd2bb
SHA512ec91adef4f40fd61dfd3d6ee6ffdea49d8a28dc04d13facccb562498e8676896462945fdd9dd0f6647164bc9fcfe1351b56096a90cf00d28c91ec7eae2e77cb6
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
11KB
MD56bd7287f0dd2ed61415a3c2ae9d4377c
SHA1bfe2534b9138d1f92df0414cf1ab739628f10a52
SHA25602d2e7afcd014aeddd0a2f615096984652ea95e6eb6fd2dcfff577722c74a094
SHA512769818e0e268ffbcb5356e6019dcdda6021f8d3b844fa57f371faea42eb3f9002366ed5553f2d8289287bbdb64abf93e3366569d444933dd91efc881fb74d0fe
-
Filesize
11KB
MD5ebac0254ee416a99a896ba199ddda1d9
SHA1c657e5147f737cdad837c0752c0aa7aa6ce85375
SHA256ca2a3db9026fb91880eec97b1bd3f22374c8e435b14a466a90d0814070990456
SHA5127ebc8ad1b3e49893883fade0f4fc2400695b1ce3c4a6469215b2d97f4afd1f6ebf421dbfbf77649bfbc20c7d2ba30118d4424d97e1932c37c514ac91f0cc2618
-
Filesize
11KB
MD5437e18c8cc098f3299862716d8177472
SHA18bec02b5778397737639fa140b2e6d257e0cc721
SHA256843b1af7b607ba9a85d367506b374d6136ab9e23746683464b4f73812c2e3f1a
SHA51220d5873f36a57a079ceaa23db80c3a456370b41ce3fbab6bea18ceccc573884aa99028eb63d2d0f231acf5cb7bee00f8510de7c78fbf5e1a455e89c72df04cb9
-
Filesize
10KB
MD5c876d9f152374974f3487c878b4d6533
SHA16456fdf6e8cfa8f805c550835b620ff26c2231c9
SHA2566244700716a7b6670bac516f730e37d0d03109c84c6231c94e26cea979f2fd7b
SHA512b388c06afaf4f4ebbd8605faa9b3df0475dadd417460e879d95352d5455f4d47dfea7e204a53a9251f5f0253e2a25a197316b096138306ec3d0261b57bfd90c8
-
Filesize
10KB
MD5a72680cafb001ce8aa3dc419f1f34d99
SHA19208c25a17f3ec0ba3aa53d3c2cd947a9e62e012
SHA256290f9b720707009b161a68f787f287868bf10d28837b9c918e4d87cf01e5693f
SHA5122f85e57d88620d7a2d407734f828e0f814b0c406beb182b9cc1a1419c98db69b5a0f964416e0b6c4bb05d075a42276a295e09206f9c6d866b062803edda667c6
-
Filesize
264KB
MD5af8881623e2c48c0f270e597c24abd78
SHA12fbbfab845b9b1226cae425b6d4a5191ac75a380
SHA2568c72c9db6413d14c4b2e909d27aa641add2cce5cda83a250c4781841b9c835c1
SHA51229e803c4766656e158fd0bf6c71eeecb91f5109c2b761fa115cc67d5d42580e3b469330d26ce85a6f7635e1988a257242cdf00dd54edb7039db82bd9206c6051
-
Filesize
2.7MB
MD53567ee60deb35afd811a25424c9b13a8
SHA1850f2bf4dbd2e569a9aca863402c392226753956
SHA2567a88ac88cd9a64ac367e048c1ce14a6fb31d5025a95e8ff6fc42730ac3f941a3
SHA512a004731ba7d2abdf8bd1691ef98356da7e9119d1d7d281d824d9229a21acbf6a82801620250eafec63bbf5d09817b5ae93776d8721543a2a7e1bd2ecbe80c20a
-
Filesize
1.4MB
MD59123b83c1df6ead534e4961f71c5f990
SHA18c52f400b274da911f63c2e99b72d9e23719298d
SHA256ad9b9da90c157ffc51b1284a6d47f439119fd4e11f4c57063b4ba13c9889fbc0
SHA512d3489aa96d8603e36728b99b117306b1f10fdf921db0043281680cfc9db344079a50ae5c07a7fbb1f37cb089c35cd183f4ab67b64ce2a03004ba99307933e39a