xworm | hxxps://gofile[.]io/d/VmL8Ux

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/VmL8Ux

Score

10^/10

xworm defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

147.185.221.23:53631

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab98-97.dat	family_xworm
behavioral1/memory/1488-138-0x00000000005F0000-0x0000000000608000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Roblox cheat.lnk	Roblox cheat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Roblox cheat.lnk	Roblox cheat.exe

Executes dropped EXE 4 IoCs

pid	Process
1488	Roblox cheat.exe
2552	Roblox cheat.exe
1696	Roblox cheat.exe
2772	Roblox cheat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox cheat = "C:\\Users\\Admin\\AppData\\Roaming\\Roblox cheat.exe"	Roblox cheat.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Roblox cheat.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Roblox cheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Roblox cheat.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	Roblox cheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	Roblox cheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Roblox cheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Roblox cheat.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 523160.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Roblox cheat.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
684	msedge.exe
684	msedge.exe
4088	msedge.exe
4088	msedge.exe
392	msedge.exe
392	msedge.exe
3416	identity_helper.exe
3416	identity_helper.exe
1848	msedge.exe
1848	msedge.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
3920	msedge.exe
3920	msedge.exe
2324	msedge.exe
2324	msedge.exe
2520	identity_helper.exe
2520	identity_helper.exe
4652	msedge.exe
4652	msedge.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe
1488	Roblox cheat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	Roblox cheat.exe
Token: SeDebugPrivilege	2552	Roblox cheat.exe
Token: SeDebugPrivilege	1696	Roblox cheat.exe
Token: SeDebugPrivilege	2772	Roblox cheat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1488	Roblox cheat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 5080	4088	msedge.exe	79
PID 4088 wrote to memory of 5080	4088	msedge.exe	79
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 700	4088	msedge.exe	80
PID 4088 wrote to memory of 684	4088	msedge.exe	81
PID 4088 wrote to memory of 684	4088	msedge.exe	81
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82
PID 4088 wrote to memory of 3804	4088	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/VmL8Ux
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff94dfa3cb8,0x7ff94dfa3cc8,0x7ff94dfa3cd8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Users\Admin\Downloads\Roblox cheat.exe
  "C:\Users\Admin\Downloads\Roblox cheat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1488
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Roblox cheat" /tr "C:\Users\Admin\AppData\Roaming\Roblox cheat.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2416
- C:\Users\Admin\Downloads\Roblox cheat.exe
  "C:\Users\Admin\Downloads\Roblox cheat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,594316874323440729,2325589423304824194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:1184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3416

C:\Users\Admin\AppData\Roaming\Roblox cheat.exe
"C:\Users\Admin\AppData\Roaming\Roblox cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Users\Admin\AppData\Roaming\Roblox cheat.exe
"C:\Users\Admin\AppData\Roaming\Roblox cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff94dfa3cb8,0x7ff94dfa3cc8,0x7ff94dfa3cd8
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,17673484305050673320,6237948805373538598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Roblox cheat.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fefbdfeae44ba4530ca5a9ee292e8748

SHA1
e4c8ac4c23f9cddf59603f897b82d5b7840b94d4

SHA256
8e676d6ae55c0b3e19a8c493d0393366f0c33a1cf1b6edf1817b18ee8768efc3

SHA512
9aea448b582149ae6b672b11724fe28bf79e556ab948fcf22d1d13c2a14ef130de0b35dc73eb36060110dc14fac77b2325ec5f3750f58a063f6a2ede74072cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
09cc742ae466fe669e38155eb9b2852b

SHA1
905e475b036b2157ac9f62c3008e1837e0b97fbf

SHA256
f98fb9cca3f05391c346459a77efc0f6753cd0cf59352ed54482842dd0961df4

SHA512
8726cbecf571c41bc69b9fb2d99d524f693e2e6d69b7f106185c0251a06a37c8fac4b925ec58997c05241d89aef9ae201beadc661203da2ed9b2d79bb69584cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
17f0965fe5ce26709ee6b358e62edd0a

SHA1
4eac944f60a3e5f1a5b8727b3ddf0e02e0b2c369

SHA256
409c66cc706145a1a96768babc92c2cc059141325d9fbf8c97c0e5baf8e4159b

SHA512
3803810bcfa5d31a5fa11d2a5c6176cc5c01e85af148fd112a903222de5bb2ff22a9f029b0e15154f68668ecbc64373f5e65f8b26875633b0d9b5ec7a7df9ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
ea3e64aa7d2b4b03ceb8f07785dcdcd6

SHA1
2ff36b39fca87f43196494c7eefaf3d057334046

SHA256
54d4f411510ecba2d9150f5aa3b2dd930bb5d8ae2b5d60e95f92ca337567bdbc

SHA512
b3e6ac1dc7bbfb5929b2e0ce8e6e3515b2fec786b9e2a9f5079b1fed3e9fcc1e7b1df5906c76d18d7d9e53feece25aa4e4c3d83307094c33fa3e2d5657a9bcb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
e44934357aa19af63949d6d1c0ba1902

SHA1
27babc55d50a6d18e54d0afd1682f25e83c41fc8

SHA256
32bf8ea621f554675700eb5f061a75380a169b8d85f1a9d5beb1f6952f6e230e

SHA512
cd33a5c86511c20f2cc47e7c17f8e8e1ef1620981e640c7d1a4c58b889c8965e0426eae8583101e66c82a3fe484e1ddf35a0d5bee43c8b61931f3d0c5d9938ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
6062fcbb77cdb6f101fb0bb19ce83472

SHA1
11ba7eafc379c3af93f0c30c8bd42a16930d1781

SHA256
c2815dd6255e586ce76e9ad87ade49a8a159483b6eabc58e053883a665254d8c

SHA512
b27e6aecdebae5241e9e4a585b3bdbed689f24562c7d23ea09f62866e462738f979ddc6721a7ab1d89d5b7a8f4baad45539249664298588cbd4281b1de5d7a07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
a20985253f356ddf22aa9257bdb7d8b4

SHA1
f8bc9e0580698a99aba7b2d317aabe4fd281d65a

SHA256
a3c3e206b04d89116c747359956a8b8634f74ed53615312caf8d6f57c50d1021

SHA512
5aae7f29a8cb8fe2c5c27e2213cca205aaa7f38f981982663e7484f4c7c297bc8fbe16416ab5f74593b783b858dd06763a63b2d03521432afa58042ff44c3ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
8be613e11f24bb973707fe6d3e14231d

SHA1
6dd319e6d9036fd8778b5e172e56ca80e93416f1

SHA256
02f668b29136ff6c4c8e4e691e3cc45f2cd92c0c87f5ac68d4e1f3039e7362a2

SHA512
98ae4df365140e95e04fd1c87b2df9aa5cd04196ddb8227be1f5e0d29cd19b426482b0c81c85e78e9a1acc18d58b187b166fcf9d77201c023249e31df54aeecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies-journal

Filesize
12KB

MD5
e8f053f27cb948ad2f0544aff2db0fe1

SHA1
3518ba1268d608e78948c2f35954fe04a1cc9997

SHA256
5b86e096b3de70879fff3e42533bd21c91d10ba400c39e6b6d5dc9f4050996e2

SHA512
73c0c53a6988bb7fb06534e6fb9c403b841bb98957e92c232fe3b86c86bfb22d1476c6ef3d9f56fa28d4c731979c1b618c230013036b0c680c6a8b6825b74e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
8c656672d4872e4ffc77faf0b665713a

SHA1
7efbc4ae0e77f63b2905928bcb6bec38c087267f

SHA256
4702e8e312b09825c03417c2b1b32846969b6e8da6ba81f28852015c07784cf1

SHA512
bcff2f5a841147fe34f4c6908638fea80b9765e7dc19ced0d11fd08d3cb94bdc141d52d12672f5730ff13ce277cdcee47f34e35c89a122d4c3c3fe7282859c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
73fb096545dadc81f6cc142e1eca5df2

SHA1
60a53fda36d59220e5e36b1e5b536208c9b8b8d0

SHA256
d7e15d6886b2f96715e0e5818c3eb71575aed857a7a95fc94da6e31c630506e9

SHA512
cfe918bb117a154dee359768f4569321dd6b71da4e42e904b85bc652b91d642a1fc8299c87b6f329b2747cd9497823023f1e97c7e1708530089c9d5f78607d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
bdf327c0c53746db0f00846d196887bb

SHA1
4878034fd31411722c778f48265a04d3e1be618c

SHA256
2ba2eb5ec7797875da9d8bd42f4b7a8842e17407bf0b230ea4f1f47a01d5de02

SHA512
bf5abeaed29a4d070680ae065552aecff6aabbc464998e15390499a8ef5ce819c80ddb2a3b1c63780336771724a34592afb8438007e4ee946ef1e6f4d3c074c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
658B

MD5
b7fc546f54725044ff5ddd6ca853197e

SHA1
da3be76a0e03a344c275f880dd1f64c7986b6bdf

SHA256
906b31b2fc07874ee5b99ea540f7a49216b6d6de64152c1cfd305708ee43dbf5

SHA512
877fc48a462086ba657217f4cdd4430f89eaf93b28049cc1a280115c538d37325f9c52f747f670cce8a36dfa17eb6ce5a446e049aa2075b9eb19a41ee6839d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
462B

MD5
b59b1f9fbe3f9f5eac833444487d279e

SHA1
4412e2a1f310359c9c46529d97f60fa54e75188e

SHA256
5ea33b460ba4102eb17aa5e03a33de845b6d62a053565d7e748299f559f1ac6e

SHA512
cbdc3c3377e2f5282d03643b322ffa5d808114990794d4ee8372ab082a80bfd0c44187430fe995cf47baca5ea858d58a92989fe77026b7e03e21b50d906c665f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
4e096d2af93c41312112235fea672358

SHA1
182f71666b914e9dddd93a00b6608e8ee58cc4b2

SHA256
b2b0f4736dcd4ae6c2cb5e0640728fd6dbb120d82dd7278a816d8c75110e82d5

SHA512
d1690afca500f008eea8a25bca969f5ba631da68ad0edd2f4a0c2fe0e584e49732ed1124d6208fe6e396e629f4609570ba822913c55febb2bc5c5c4422beb213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
ea5191d26ad76d7268090e2d59ea8627

SHA1
599dfd2f0b5cfc660fb5699a959e3ecd891bc287

SHA256
63c91fc8fcceea02c1d1c14ef0a7cd29a796e62fba67e0adf2ad0f0260ba7a10

SHA512
c2046f6fad34baab2e70c2f86c1fc2fd74ff5ce016a62077f55fd58ffa3399181241e878003ea09f7ffd3d2ce29cec4b8393d802aed4050542938925a79a0516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
67acd3aebe4ee110f89cec7d0a2fce6c

SHA1
7b74d5e2b78b00a4a5277e004a36d0864617ebb4

SHA256
9862f01e6956360d9ea4b325eb4099ddb92186dd7d2d825411928d8f9881f410

SHA512
2c8bef14fd7360498229a8abb64d553f2f1bfef4ffc714952d08fb946f0af9344571c94e5cf36c14f9d940ea12f818ca4961b1df3f51395066af5eabda57ccea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4b215d20e6432420073d93f5a11a351

SHA1
71fe2e4bcd050414e89d6553ccb0b4577bd3ec5d

SHA256
a138696d9b529096b6a0afd9b92265a9f0ea1936232c4e537367966c6c6f7134

SHA512
18e6623de3e421d79a2c063f989431ee74e126e6d9252ab3b7c05ad8482865722e528e29282b606598bd1b7f1bfee72f6ea5879f805cf894db62f7489bc4d080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f59b21e1a44204478226cf5be853223f

SHA1
8d2ac109a9815266f7379c09b9a1f84fd4955e47

SHA256
e1f0ff72cef9af98fda9a7448523992c519bfc4701ddd5d2276984d86a17e754

SHA512
d44d76b53cdbb5c5da5c6f1180d95ba83c5b4983bfff9dcc73960bf24607a1113f9a1b7a67b29505ea50b3ff777d8b907cdfb5af2cbad204d2dd19ef955e18fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8b2e2944b06157353900bcca423ba47

SHA1
e982465fbc999eb2e3481b77de25b460b73d74d4

SHA256
751164082320b845cd09f53b56aac193cb4bf8841542798c2942290b4f7b598b

SHA512
35121bb113eecdbd1dc44de51bd7ca87b53b0bf0e19ad63656cac3bbd2b7d338f9a26dacf0f184404a83bb4a32306da87456ed5533ebf64dae00a46454e2d6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3910625a65100bc793816a5ec513247c

SHA1
6d2237841b783ed91a1868466b3063b2ae1bfbbf

SHA256
6b3e813cd4162211c6d79044c3cb1efb0f7c791fcc5f83358b6574b1a2a23171

SHA512
590fb0d99ca2c744ec518838e7524514bce7a33e07e74260c978765b105dc6500d7f46c497a1f47cd1fc143689f8c9eed54bc7527b8a7427d1513ece58c8d4a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
882e49d47ab6a34526892629bbf22ac4

SHA1
1cc2847426a8a190d06f50d13f9ae72fc2acc3bf

SHA256
df821fa37f1cbea278e6a9ca1a7b13ad1157e0875bccfb790928317939209791

SHA512
39268cbc1d50ac4b0d6cc4b6aa3330a7142ce1a6e6bbe52241c46041f3febd694903881fe000cc5281a07d2a573fd522add8d698c97cc4b36c5058ef56d36562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
364B

MD5
1c046f02abb301407e04483360853e89

SHA1
edab44d344402a0598724a1a28293def5358b190

SHA256
6894f19291a611f45060df1acb079979d6adb5a286b236049e2c600a3b661394

SHA512
201b6b81b80da274787e178f3ea8fbfc70ed1b0df85213abefb1314ea47962d9a66c0b6a8b3de6e49a28e8020d49cdc71f13be9872d9224ac0ed9129d752ff1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
8adab72069a83e38828c894a303927a6

SHA1
1676bcb5e711840ab62698b7ae75a67d9f6be148

SHA256
d03725eb66594d51da0a8fbdd3a240de8490183b4243cf71d285383f4d872fe3

SHA512
9766bda0055e949087aa748b3808eae568fe6d8a4b8f7d5484c9d32026b5683c70d5bd2011aec0757c400227f2617848c7e84540b378233585404dcae67c840a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13375831759295892

Filesize
2KB

MD5
fce20711d5490982c8fea15ea63c5965

SHA1
4250827b2b1ea3aa764d43ded7d1a9ae867d6123

SHA256
4d0826c138c150113a665c1ee1639cadafd59d43d72a24a458ebc9b71c1bc995

SHA512
ea8aef110c98946e658b7c77bcaa93d0a7404d850f09f2a16fea3a02375b6c47381b4c7c945e877d5307dbc5772b5ff605b04ba49f5e659ad9186ee8b6607dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
9488beb42a9559c0d32282288b957b14

SHA1
4de713cb9b9c17a7fa8088b9e5270736cad2891c

SHA256
37e2b71bcbe281efb7d199fb9a51bb3d1c27b0446f0aff9520c570337edcb9a5

SHA512
91b73a36b3693538125b4f09ad70816dc1d39d40807d79c8341bc8e68c27d2ec63eb2a79006455b376c83609e1e00925fb35ba74c828bad7e18aeb0b33795d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
5d63f67c8dd8d3bf19de72ce43e7cc02

SHA1
ce142478009ce90aeaa2ab1be31c60338bd7ced0

SHA256
f58d34a3de4f0cc2e439cece682b74fe5972fa57d5546f6137abcf47eb8766e7

SHA512
c8ea225d286f50914c9c078510c500f513637e909abba0c3f30336c28959410df493597b08e148ee9820449165e830e97f19c26e5976484c6bd8f730298abda8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
794c36b52055dad20022fcd138261cc8

SHA1
fbc4423005b330f1f87e3e44acd46eb18e67a6b0

SHA256
15623a572c87bf2bc6ce6a6203a10c836fedb547e0927f9b18dc71b510185ae5

SHA512
f202924b29cac65b495aee570c23174a83ab14573e64fd84a09caa02173eab1f13aed6d5e22dd78926bbc45a4e473e798244b8f9676041bfa34247b14422fb64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
e2618ade0f52b9ecb0cd3b262710e653

SHA1
666cecdda75a2150a8f825577eb345efab09d304

SHA256
0b9e82ddacb43e4b025eddb77ae928d5aae793a1ed5461f8c225a85865010a30

SHA512
903e57a0cd97d79519572f2daa5b3a13430419584b095e02eed6b6868cfa07be230cc3a81ff6682913599c754e3b63f5efaa4991866aa9fc878d59cbd020b9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7f62b6c612d11d69cddd5c06c09a38e0

SHA1
06397fe392455c10471ef51708c83ffd421c2353

SHA256
76c1f63981361c6ce7f67647f253864bfd7727949560a5300390a2d08bc4cf05

SHA512
548271e8c5f72685ea2872dc92af394f3f9919295ebd4a521d4c540b513caf7bef67b0a3e1b9d7d7f17b5b9162a995486441c57a4c3b3f8555cc247006f04117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
9f6f1c8a4b3d0c7e4d0046ea66e01d76

SHA1
563ce01cc6af8f2f539cf67367170fada4c0bf4b

SHA256
186a941faeab6edb78364e3050f6926b1f8b230fc942c5d674946c12f85dd7df

SHA512
a5c3f1cc10d8f620b52ace1da32f5aa3abde5b9b8ac1e085da6e96ff96b6bf87130fdf3b089e24c95e87af1b0172c8e02eeb9e11c413d2446ed2d3be49d6419c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
3KB

MD5
b81d52f406b69b8b2c045cbece54f176

SHA1
578d4b0e8a15aadd7937df5b05c12f4f2c47a363

SHA256
ebca58f557632ab7e553f7badef957d43c0047c81f753c06334f7b15f2c94dab

SHA512
41d2cae9006294d5c261f52793b8e658ffcfe627648dbc4f6a4d9f0689f05ad9c0e1e70b257b6fd8475157e1995d895ebf652c097281333a346e0968a560b0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
81a6fca016fce7e4565c0de60b8f2b2e

SHA1
b2ff6807bd3640fac68edd3511a1de34e4e727b1

SHA256
d944ddb3f968e55114225bbc668b853043842b6a58e969b065b74905fbb0de3c

SHA512
cda4401295875b989094dc78bf139cb987be9a759e5c0a0afa2ee3a20279af04366fce1c024afc383be802fe79a8985efd95abb8b856f33484e9abba9baa9674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
976c229ff58bde64e028e08ecdb518d5

SHA1
6da4b3d9c776f65cd76cac08145dd733a0b98399

SHA256
a9065113a31a540d2b28bbc4d11660f5bdc9637dda947d8d3a9858feaaeead7a

SHA512
354dccc7679f49f8ba2b53c764313c07fd30a4767027717385f3c8a20935ea45f1207548aabde07631b2f90ae06152dd621f48368fcb6346a5629b5b855b8c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
4018c69cf457aaeb66962bc8da572124

SHA1
9344318307e3ce501634f253c6c52d23bba42640

SHA256
999afd6964d5f42d642ebfb3d19841ff3b18acb299e3b3ef4a1f06ddf256fd35

SHA512
ef19c2318c4a3d040c855adcc9dfe8c05646e0ae14eaeb48ca7ecb9b55b962725f70d62fbec56cea73d46947b368345d5d58e00ae999ae87b7cc9e942eff5089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
c8f3683d01453ffbe950865b38c97b2f

SHA1
39f9210bbd9fccacf62aad298a9b04d9222325d8

SHA256
1df6bc7252e8d3cf98d87d7c8cf12e5eaf04f2af36a54117c4dfd7e28ed6125c

SHA512
4d2ecb5162b4c0b409c6fbf6dce4c07e89ea4fbe0bd1dc94f9f07b1db5426858bb639d1de98b3ad24db71a6e83da00d9ca7800d13430c73396e84c531e351d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
fb2922c8047135822f2037f34ad8c7c9

SHA1
458813967468fefffbcf032e0c0944e9c36b52ff

SHA256
4e72c84581ced342d020178ff0da95fdb7d586d28721bed9964c63c8b7bac572

SHA512
d782f990b77d5dfe518c9d4c93fee31ec04662f0540159e953fe31b7349e7ee11284feac6a21bffaf8bf4966e516e6544ec0c7bd029f1604ef2377249640d6d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
97a049f44789d3c8386bd9a264d3a2df

SHA1
ccecf6e370a5965e0a3a738adc5be5c9e95fd34f

SHA256
d126581e2a3391b7bb1fddb52ff7ebdb117c99a1dfb7ed98784e9320b13dfd21

SHA512
e760d044e7171dfc4ecd276edcd314a98ea3d82fbee1b54d0f679ef146deb1f9e537ae70cc460229b9b752977c65eafab22d1aadcf5862ad0a1a028ccc68fbfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
242b618303d8c6e1bcc167bc7fbb759e

SHA1
5aea1fa88e7809b7a4dec34fb09936950904e2e4

SHA256
d2ba90ba6043f6ed89de23a9aa54cf84f74184aa282fbd7e1386b3bbec533429

SHA512
0f9e00dbe9e83c5e4c08ec18fc55480e46a51545e6c5d897b3de586f44479ccf6dac6217ca033500bac48ae583d31fed6ee95f2b64272546ab641b01f8f02b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4eb24c539e11c0c7863c7a0891a13c34

SHA1
33fea7b30ab65544424cbbdfa7a11694abfcbde4

SHA256
56030824d427b22c3313207555f1e6a9ede9d3be7fad69cf3131a5ae46e185f6

SHA512
8125f70077f14232af0bb131a7aaed12423caf692da666d8f6b56199b2896bd55a23f125247d99cd7917481a93f5785c63107aa2448f22385ffbd0911ec1c3eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e1a6c1cb4520175333612b573a9fd91a

SHA1
355ce1905fec44335420ad82f1a10b6f27b51e36

SHA256
be1b422a76e8c61f175a3889a010415dc076038dbc087bc94387c7845fd7a1d7

SHA512
039bc8619909cba2311b979c940743e05ab9b807ce06f7b6395a231e6f68ddfc5e1e5b62b9dda831359b823ed0f10226446bf6905571905ce68e85c91244a3e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5bead5722cb46c0dfb1725b5a2462f86

SHA1
15678bf1f89f2deb3248c50b7b5402531738a7a3

SHA256
2b1413d9ed854972d5eda913311ce0dbdcce621319c0436ea712671d68978417

SHA512
49d8e5992d26ca36df1b03a85f41d731a946a7ccd148c824481769b50c3a1977c4c5c2aabeb1552d5e021c8062d1222ff02d7c3653471a98caa6165ce128dcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
3c57577c19eb0e21af7ba0c325112a37

SHA1
45ca3d541b34b26a8bf58fb8998deae94e293c86

SHA256
76e53238836e5454f5ac1361d43a6c76173df86fe160e3f6044bf198d3055737

SHA512
21991ea84ad8656e28fef6ec340fa5ae488e16c3998435d05add7dc8b0bae21d438d59d6f150ef4e6e5d3e82f54b60eb634655fccc8f1022924cf57354f15c30

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f77f1b45-6761-417a-81e1-d02a5b15e9bd.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\Roblox cheat.exe:Zone.Identifier

Filesize
161B

MD5
2436fedbde4a02d19fc68da20f0c595e

SHA1
226ee6f2aefd6ce3371c3c9a7d69886855c0ddbf

SHA256
e743e2d4f7570b45888384940b16cf99b29655082fb960e10858387071260d91

SHA512
f230272a76cc8c901c3b669cabfd0542b8a64215d8b69d1a8f4158332c42f1369143df0b57728ba8025dcd06fa7953fc66be1b7334788e7d1408f083b5365c47

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 523160.crdownload

Filesize
71KB

MD5
f24d23861ae25a5e29ed07ce2edf23ae

SHA1
f44fb5843e43b04f2ab6d372131f780cc4d93e22

SHA256
aeb935a0eed839b1670d762dba8c2ccf443340d4344178070c74be2e666e8e0c

SHA512
4c037c2a699a2349d092686ac18697278d4a52c01752234f4fd3ea2578f8f321557ecd40616ce060fd0ae24411dca9de1f01794cd44a860ed889cbdaf05e2cbe

Download Submit
memory/1488-138-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/1488-165-0x000000001BF70000-0x000000001BF7C000-memory.dmp

Filesize
48KB

Download
memory/1488-166-0x000000001CC60000-0x000000001D188000-memory.dmp

Filesize
5.2MB

Download
memory/1488-169-0x000000001C5A0000-0x000000001C5AA000-memory.dmp

Filesize
40KB

Download