e33e6f15679e6148337732e9d15e5475b06195b7f10909299411977ad333a584

Analysis

max time kernel
659s
max time network
685s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BACKTOFRONT-1-scaled.jpg
Size

857KB
MD5

105f0855b8a2fcda272ea2aebacc7f85
SHA1

7d8ba397949500a320b531dd9962a2b172b0f8ac
SHA256

e33e6f15679e6148337732e9d15e5475b06195b7f10909299411977ad333a584
SHA512

ce1d602d7e141b840582b62d4326c1c3f08efc713e2e92f9dc301f3194b6a6a7f359fc8f91bd360e9db0f31ed05e631ad53c34709b4301398cb6fc066c597033
SSDEEP

24576:cT0rO/63JGnAhag8M5CKW9fVsTHWtDYSxtoN9DqVV:cTA16I8OWt6bsHUIV

Score

8^/10

defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 29 IoCs

Processes:

RobloxPlayerInstaller.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeBloxstrap-v2.8.1.exeMicrosoftEdge_X64_131.0.2903.51.exesetup.exesetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exeMicrosoftEdgeUpdateSetup_X86_1.3.195.35.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exe

pid	process
3160	RobloxPlayerInstaller.exe
1312	MicrosoftEdgeWebview2Setup.exe
2832	MicrosoftEdgeUpdate.exe
2232	MicrosoftEdgeUpdate.exe
5084	MicrosoftEdgeUpdate.exe
3892	MicrosoftEdgeUpdateComRegisterShell64.exe
3744	MicrosoftEdgeUpdateComRegisterShell64.exe
2404	MicrosoftEdgeUpdateComRegisterShell64.exe
2068	MicrosoftEdgeUpdate.exe
1560	MicrosoftEdgeUpdate.exe
2948	MicrosoftEdgeUpdate.exe
924	MicrosoftEdgeUpdate.exe
924	Bloxstrap-v2.8.1.exe
640	MicrosoftEdge_X64_131.0.2903.51.exe
4312	setup.exe
4548	setup.exe
4432	MicrosoftEdgeUpdate.exe
2872	MicrosoftEdgeUpdate.exe
2752	RobloxPlayerBeta.exe
4920	MicrosoftEdgeUpdateSetup_X86_1.3.195.35.exe
2024	MicrosoftEdgeUpdate.exe
752	MicrosoftEdgeUpdate.exe
4592	MicrosoftEdgeUpdate.exe
3640	MicrosoftEdgeUpdate.exe
4160	MicrosoftEdgeUpdateComRegisterShell64.exe
1800	MicrosoftEdgeUpdateComRegisterShell64.exe
4056	MicrosoftEdgeUpdateComRegisterShell64.exe
5956	MicrosoftEdgeUpdate.exe
3396	RobloxPlayerBeta.exe

Loads dropped DLL 31 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exe

pid	process
2832	MicrosoftEdgeUpdate.exe
2232	MicrosoftEdgeUpdate.exe
5084	MicrosoftEdgeUpdate.exe
3892	MicrosoftEdgeUpdateComRegisterShell64.exe
5084	MicrosoftEdgeUpdate.exe
3744	MicrosoftEdgeUpdateComRegisterShell64.exe
5084	MicrosoftEdgeUpdate.exe
2404	MicrosoftEdgeUpdateComRegisterShell64.exe
5084	MicrosoftEdgeUpdate.exe
2068	MicrosoftEdgeUpdate.exe
1560	MicrosoftEdgeUpdate.exe
2948	MicrosoftEdgeUpdate.exe
2948	MicrosoftEdgeUpdate.exe
1560	MicrosoftEdgeUpdate.exe
924	MicrosoftEdgeUpdate.exe
4432	MicrosoftEdgeUpdate.exe
4432	MicrosoftEdgeUpdate.exe
2872	MicrosoftEdgeUpdate.exe
2752	RobloxPlayerBeta.exe
2024	MicrosoftEdgeUpdate.exe
752	MicrosoftEdgeUpdate.exe
4592	MicrosoftEdgeUpdate.exe
3640	MicrosoftEdgeUpdate.exe
4160	MicrosoftEdgeUpdateComRegisterShell64.exe
3640	MicrosoftEdgeUpdate.exe
1800	MicrosoftEdgeUpdateComRegisterShell64.exe
3640	MicrosoftEdgeUpdate.exe
4056	MicrosoftEdgeUpdateComRegisterShell64.exe
3640	MicrosoftEdgeUpdate.exe
5956	MicrosoftEdgeUpdate.exe
3396	RobloxPlayerBeta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RobloxPlayerInstaller.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerInstaller.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Checks system information in the registry 2 TTPs 18 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

RobloxPlayerBeta.exeRobloxPlayerBeta.exe

pid process

2752 RobloxPlayerBeta.exe
3396 RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

Processes:

RobloxPlayerBeta.exeRobloxPlayerBeta.exe

pid	process
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
2752	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe
3396	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

Processes:

RobloxPlayerInstaller.exesetup.exeMicrosoftEdgeUpdateSetup_X86_1.3.195.35.exeMicrosoftEdgeWebview2Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\avatar\unification\CollisionHead.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\models\ViewSelector\Corner.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\RoundedRect8px.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\PlayStationController\PS5\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Settings\Players\Muted.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\VoiceChat\RedSpeakerLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\CollisionGroupsEditor\unchecked.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\fonts\families\Inconsolata.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\VoiceChat\RedSpeakerDark\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\PivotEditor\HoveredPivot.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\TerrainEditor\volcano.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\LuaChat\icons\ic-add-friends.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\LuaChat\icons\ic-group.png	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\DeveloperFramework\PageNavigation\button_control_previous.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\MaterialFramework\Dark\Material.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\avatar\compositing\CompositExtraSlot4.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\ImageSet\LuaApp\img_set_3x_1.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\AvatarEditorImages\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Emotes\TenFoot\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\InspectMenu\ico_robux.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\DeveloperInspector\Record.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\PlayStationController\PS5\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\StudioSharedUI\Undo.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\configs\DateTimeLocaleConfigs\en-gb.json	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\lv.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\AnimationEditor\icon_warning.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\CollisionGroupsEditor\manage-hover.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\MaterialManager\List_LT.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\da.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\shaders\shaders_d3d10_1.pack	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\fonts\GrenzeGotisch-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU452B.tmp\msedgeupdateres_zh-CN.dll	MicrosoftEdgeUpdateSetup_X86_1.3.195.35.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\LuaPackages\Packages\_Index\FoundationImages\FoundationImages\SpriteSheets\img_set_1x_1.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\DeveloperFramework\checkbox_unchecked_disabled_dark.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\common\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\LuaPackages\Packages\_Index\FoundationImages\FoundationImages\SpriteSheets\img_set_2x_6.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\AvatarExperience\broken-avatar-200px.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\LuaApp\graphic\ph-avatar-portrait.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\MaterialGenerator\Materials\Plastic.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\configs\PerformanceConfigs\rofiler.js	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\LuaPackages\Packages\_Index\FoundationImages\FoundationImages\SpriteSheets\img_set_2x_21.png	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\mi.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\StudioToolbox\ScrollBarMiddle.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Chat\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\fonts\RobotoCondensed-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\avatar\scripts\CompositorAnimate\v1betaRC1\AnimateDependencies.rbxm	RobloxPlayerInstaller.exe

Drops file in Windows directory 15 IoCs

Processes:

chrome.exesetup.exeUserOOBEBroker.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\0c82a60b-0e8a-4122-8d25-f12369821f0b.tmp	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

chrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeFileCoAuth.exeMicrosoftEdgeUpdateSetup_X86_1.3.195.35.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeRobloxPlayerInstaller.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdateSetup_X86_1.3.195.35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid process

2068 MicrosoftEdgeUpdate.exe
924 MicrosoftEdgeUpdate.exe
2872 MicrosoftEdgeUpdate.exe
2024 MicrosoftEdgeUpdate.exe
5956 MicrosoftEdgeUpdate.exe

pid	process
2068	MicrosoftEdgeUpdate.exe
924	MicrosoftEdgeUpdate.exe
2872	MicrosoftEdgeUpdate.exe
2024	MicrosoftEdgeUpdate.exe
5956	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

RobloxPlayerInstaller.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

RobloxPlayerInstaller.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe

Modifies data under HKEY_USERS 44 IoCs

Processes:

MicrosoftEdgeUpdate.exesvchost.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766839692831761"	chrome.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeBloxstrap-v2.8.1.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeRobloxPlayerInstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\CurVer	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3316A154-AC5C-4126-9021-B201E9C33D7B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{3316A154-AC5C-4126-9021-B201E9C33D7B}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachine"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0\CLSID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.35\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass\CurVer	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CurVer\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\roblox\shell\open	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{3316A154-AC5C-4126-9021-B201E9C33D7B}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f7e00000001000000080000000080c82b6886d7017f000000010000000c000000300a06082b060105050703031d000000010000001000000052135310639a10f77f886b229b9f7afc1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab553000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d0020004700320000000f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa42000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba	MicrosoftEdgeUpdate.exe

NTFS ADS 3 IoCs

Processes:

chrome.exechrome.exeBloxstrap-v2.8.1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:Zone.Identifier:$DATA	Bloxstrap-v2.8.1.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

4604 explorer.exe

pid	process
4604	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

chrome.exechrome.exeRobloxPlayerInstaller.exeMicrosoftEdgeUpdate.exeBloxstrap-v2.8.1.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exe

pid	process
2488	chrome.exe
2488	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
3160	RobloxPlayerInstaller.exe
3160	RobloxPlayerInstaller.exe
2832	MicrosoftEdgeUpdate.exe
2832	MicrosoftEdgeUpdate.exe
924	Bloxstrap-v2.8.1.exe
924	Bloxstrap-v2.8.1.exe
4432	MicrosoftEdgeUpdate.exe
4432	MicrosoftEdgeUpdate.exe
4432	MicrosoftEdgeUpdate.exe
4432	MicrosoftEdgeUpdate.exe
2832	MicrosoftEdgeUpdate.exe
2832	MicrosoftEdgeUpdate.exe
2832	MicrosoftEdgeUpdate.exe
2832	MicrosoftEdgeUpdate.exe
2752	RobloxPlayerBeta.exe
2948	MicrosoftEdgeUpdate.exe
2948	MicrosoftEdgeUpdate.exe
752	MicrosoftEdgeUpdate.exe
752	MicrosoftEdgeUpdate.exe
3396	RobloxPlayerBeta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4604 explorer.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
676

pid	process
4604	explorer.exe

pid
4
4
4
4
4
676

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exe

pid	process
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe
Token: SeShutdownPrivilege	2488	chrome.exe
Token: SeCreatePagefilePrivilege	2488	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

chrome.exe

pid	process
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe
2488	chrome.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

RobloxPlayerBeta.exeRobloxPlayerBeta.exe

pid process

2752 RobloxPlayerBeta.exe
3396 RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2488 wrote to memory of 3016	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3016	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 464	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 240	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 240	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe
PID 2488 wrote to memory of 3632	2488	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BACKTOFRONT-1-scaled.jpg
1⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda41bcc40,0x7ffda41bcc4c,0x7ffda41bcc58
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3588,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3532,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=1140,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5176,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4908,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3288,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5584,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5564,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5732,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6016,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6012,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5852,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2300
- C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3160
- - C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
    MicrosoftEdgeWebview2Setup.exe /silent /install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1312
  - - C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2832
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3892
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3744
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2404
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTI1QjUxMEMtMTZGNy00MTI0LUJGMTUtMUQxQTIxNTFBNUQ3fSIgdXNlcmlkPSJ7NkExNzVDRDYtMzQ1Ri00OUZBLTk0RkUtODAzNjRDNjBCNzg0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxRjE4NzIzOC05MTdDLTQ0RjUtQjIwMi00NEY3RUFBRTlEMEJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0My41NyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY3MTc5NTY3NTkiIGluc3RhbGxfdGltZV9tcz0iNzQ0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2068
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{A25B510C-16F7-4124-BF15-1D1A2151A5D7}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1560
- - C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 3160
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6848,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6616,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6596,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7268,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5776,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6668,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5496,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7116 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6732,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=4936,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7196 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6672,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6572,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6744 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6688,i,1791218441350943603,2333243160316717491,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7072 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:244
- C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe
  "C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:924
- - C:\Users\Admin\AppData\Local\Bloxstrap\Roblox\Player\RobloxPlayerBeta.exe
    "C:\Users\Admin\AppData\Local\Bloxstrap\Roblox\Player\RobloxPlayerBeta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:3396

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F8 0x00000000000004F0
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2156

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2948
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTI1QjUxMEMtMTZGNy00MTI0LUJGMTUtMUQxQTIxNTFBNUQ3fSIgdXNlcmlkPSJ7NkExNzVDRDYtMzQ1Ri00OUZBLTk0RkUtODAzNjRDNjBCNzg0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntENTg5NTdDMC1EOUM3LTQxOEQtQjUyNS05QjQ0Njk1OEZEMTF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjcyMjY5NzAwOCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:924
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{10D8D415-703C-44D4-AB36-54FEE553FB81}\MicrosoftEdge_X64_131.0.2903.51.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{10D8D415-703C-44D4-AB36-54FEE553FB81}\MicrosoftEdge_X64_131.0.2903.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:640
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{10D8D415-703C-44D4-AB36-54FEE553FB81}\EDGEMITMP_62F59.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{10D8D415-703C-44D4-AB36-54FEE553FB81}\EDGEMITMP_62F59.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{10D8D415-703C-44D4-AB36-54FEE553FB81}\MicrosoftEdge_X64_131.0.2903.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:4312
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{10D8D415-703C-44D4-AB36-54FEE553FB81}\EDGEMITMP_62F59.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{10D8D415-703C-44D4-AB36-54FEE553FB81}\EDGEMITMP_62F59.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{10D8D415-703C-44D4-AB36-54FEE553FB81}\EDGEMITMP_62F59.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.51 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff77bc32918,0x7ff77bc32924,0x7ff77bc32930
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4548
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTI1QjUxMEMtMTZGNy00MTI0LUJGMTUtMUQxQTIxNTFBNUQ3fSIgdXNlcmlkPSJ7NkExNzVDRDYtMzQ1Ri00OUZBLTk0RkUtODAzNjRDNjBCNzg0fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntCQ0YxMTUwQy1ENjAzLTQ2MzYtQTAyNy02RUQxNzJGM0VGNTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzEuMC4yOTAzLjUxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NzM1NDk2NjczIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjczNTUzNjY2NiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODY2IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5NDgxMDAzNTM4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8yNmQzOWY5Yi0wMmUxLTRlMjctODRlMi1iNTRiMjRkYzY4M2U_UDE9MTczMjgxNTM1NCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1mcEpMdkh2UlBISlZvMm9pYTFGWHVtUEZDalZpNVhvMEZIQTQ3QUNtNDhSRUVTM2Y0Q01pU1FVSlBFJTJiSXd0TjV5bUd2b3hocHBvZkxnYmEwRWhlR3FnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iODkzMzAxMzMiIHRvdGFsPSIxNzY2MDc4MjQiIGRvd25sb2FkX3RpbWVfbXM9IjIxOTQzNiIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk0ODEwMTM0ODIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzI2ZDM5ZjliLTAyZTEtNGUyNy04NGUyLWI1NGIyNGRjNjgzZT9QMT0xNzMyODE1MzU0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWZwSkx2SHZSUEhKVm8yb2lhMUZYdW1QRkNqVmk1WG8wRkhBNDdBQ200OFJFRVMzZjRDTWlTUVVKUEUlMmJJd3RONXltR3ZveGhwcG9mTGdiYTBFaGVHcWclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIxOTkuMjMyLjIxNC4xNzIiIGNkbl9jaWQ9IjMiIGNkbl9jY2M9IkdCIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSJISVQsIEhJVCIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzY2MDc4MjQiIHRvdGFsPSIxNzY2MDc4MjQiIGRvd25sb2FkX3RpbWVfbXM9IjQ4MzA5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTQ4MTAzMzQxOSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk0OTUyNTM4NDQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMTAzMDgzNDgyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNzkxIiBkb3dubG9hZF90aW1lX21zPSIyNzQ1MzUiIGRvd25sb2FkZWQ9IjE3NjYwNzgyNCIgdG90YWw9IjE3NjYwNzgyNCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjA3NjkiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2872
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C88AD3E1-006D-48D4-BBE3-92C3508FA005}\MicrosoftEdgeUpdateSetup_X86_1.3.195.35.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C88AD3E1-006D-48D4-BBE3-92C3508FA005}\MicrosoftEdgeUpdateSetup_X86_1.3.195.35.exe" /update /sessionid "{053A7B19-FF66-450E-979B-AA497929ABAF}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4920
- - C:\Program Files (x86)\Microsoft\Temp\EU452B.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU452B.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{053A7B19-FF66-450E-979B-AA497929ABAF}"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:752
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4592
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3640
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4160
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1800
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4056
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDUzQTdCMTktRkY2Ni00NTBFLTk3OUItQUE0OTc5MjlBQkFGfSIgdXNlcmlkPSJ7NkExNzVDRDYtMzQ1Ri00OUZBLTk0RkUtODAzNjRDNjBCNzg0fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7NTc0OTk3MzktMDU5MC00NjI1LTg5OTUtMEMzNUU5QzFDQTkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMzUiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzIyMTA1NTEiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMzU2ODE5OTI0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5956
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDUzQTdCMTktRkY2Ni00NTBFLTk3OUItQUE0OTc5MjlBQkFGfSIgdXNlcmlkPSJ7NkExNzVDRDYtMzQ1Ri00OUZBLTk0RkUtODAzNjRDNjBCNzg0fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3NDk0QTg3Mi05Q0M3LTREQzMtQjIyQS0yNEREN0E4NkJEQkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTcxLjM5IiBuZXh0dmVyc2lvbj0iMS4zLjE5NS4zNSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk4MTY4NjM2MDgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAxMDMxNDM0NzIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMzQwODgyMzM2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNjhkNTc3YTAtMWY0YS00MzRmLWJkY2UtMTQ4ZWRjMWU0YTQwP1AxPTE3MzI4MTU2NjImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UVdxZ1I0eSUyZlV4RDRwZFJaTldCN0E0Ukt5NkN4d3dlZlY2NmgyWUFPR01hd1glMmZxQVBtblEzY29FQTdVZWtKWkRyM29FTHVmZHVVUVg4RTRzQjQxRUd3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjciLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAzNDEwMzg1MTMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzY4ZDU3N2EwLTFmNGEtNDM0Zi1iZGNlLTE0OGVkYzFlNGE0MD9QMT0xNzMyODE1NjYyJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVFXcWdSNHklMmZVeEQ0cGRSWk5XQjdBNFJLeTZDeHd3ZWZWNjZoMllBT0dNYXdYJTJmcUFQbW5RM2NvRUE3VWVrSlpEcjNvRUx1ZmR1VVFYOEU0c0I0MUVHdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE2MzU5MjAiIHRvdGFsPSIxNjM1OTIwIiBkb3dubG9hZF90aW1lX21zPSIyMzYwNSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDM0MTAzODUxMyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDM0NjE5NTUyMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxwaW5nIHI9Ii0xIiByZD0iLTEiLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTAuMC44MTguNjYiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNzI3Nzc5NzIxODEyMDkwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9Ii0xIiBhZD0iLTEiIHJkPSItMSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzEuMC4yOTAzLjUxIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgdXBkYXRlX2NvdW50PSIxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7OUMxRUM3NDktNTA5OS00QzdBLUEzNzYtNTc4NjhCOURCMzIzfSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2024

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5512

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2160

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:4432

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" netconnections
1⤵
PID:5964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Installer\setup.exe

Filesize
6.6MB

MD5
e8ecc691b6b345c25ea749591911d934

SHA1
b54f8b8ece5c4221c4180edfdef39df38a36ba21

SHA256
e226aafcb47b85afe8962b885921dd982bbeb356ddd1c66e5a6f42be80dd052a

SHA512
9364268b3e7333a6d52e3ab1eedb15c9cee98d5139be0708790275ef05abba12f32c2a39546b4c81f799d7ee662d5f705af9de28b0fca12a64c72ebcccd4f066

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.195.35\MicrosoftEdgeUpdateSetup_X86_1.3.195.35.exe

Filesize
1.6MB

MD5
dc1543edd0dcd56536304bdf56ef93f1

SHA1
1a8b2c7791f2faa1eb0a98478edee1c45847075c

SHA256
ccbb3d9a4877999a55b2ca6b8128481e91c4b56780f581226f916c0fb2db0772

SHA512
2a6b4aa39bc3e4d234909077d5c6d75b9968c1778d505cc12431afd7aebd01eb65ed2f6f0c53c67f18eed7e97b67a93bab8c44574e3918ccd5cfcd8681767056

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
7a160c6016922713345454265807f08d

SHA1
e36ee184edd449252eb2dfd3016d5b0d2edad3c6

SHA256
35a14bd84e74dd6d8e2683470243fb1bb9071178d9283b12ebbfb405c8cd4aa9

SHA512
c0f1d5c8455cf14f2088ede062967d6dfa7c39ca2ac9636b10ed46dfbea143f64106a4f03c285e89dd8cf4405612f1eef25a8ec4f15294ca3350053891fc3d7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
60dba9b06b56e58f5aea1a4149c743d2

SHA1
a7e456acf64dd99ca30259cf45b88cf2515a69b3

SHA256
4d01f5531f93ab2af9e92c4f998a145c94f36688c3793845d528c8675697e112

SHA512
e98088a368d4c4468e325a1d62bee49661f597e5c1cd1fe2dabad3911b8ac07e1cc4909e7324cb4ab39f30fa32a34807685fcfba767f88884ef84ca69a0049e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
c044dcfa4d518df8fc9d4a161d49cece

SHA1
91bd4e933b22c010454fd6d3e3b042ab6e8b2149

SHA256
9f79fe09f57002ca07ae0b2a196e8cc002d2be6d5540ee857217e99b33fa4bb2

SHA512
f26b89085aa22ac62a28610689e81b4dfe3c38a9015ec56dfeaff02fdb6fa64e784b86a961509b52ad968400faa1ef0487f29f07a41e37239fe4c3262a11ac2c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdate.dll

Filesize
2.0MB

MD5
965b3af7886e7bf6584488658c050ca2

SHA1
72daabdde7cd500c483d0eeecb1bd19708f8e4a5

SHA256
d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19

SHA512
1c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
567aec2d42d02675eb515bbd852be7db

SHA1
66079ae8ac619ff34e3ddb5fb0823b1790ba7b37

SHA256
a881788359b2a7d90ac70a76c45938fb337c2064487dcb8be00b9c311d10c24c

SHA512
3a7414e95c2927d5496f29814556d731aef19efa531fb58988079287669dfc033f3e04c8740697571df76bfecfe3b75659511783ce34682d2a2ea704dfa115b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
f6c1324070b6c4e2a8f8921652bfbdfa

SHA1
988e6190f26e4ca8f7ea3caabb366cf1edcdcbbf

SHA256
986b0654a8b5f7b23478463ff051bffe1e9bbdeb48744e4aa1bd3d89a7520717

SHA512
63092cf13e8a19966181df695eb021b0a9993afe8f98b1309973ea999fdf4cd9b6ffd609968d4aa0b2cde41e872688a283fd922d8b22cb5ad06339fe18221100

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
570efe7aa117a1f98c7a682f8112cb6d

SHA1
536e7c49e24e9aa068a021a8f258e3e4e69fa64f

SHA256
e2cc8017bc24e73048c7ee68d3787ed63c3898eec61299a9ca1bab8aeaa8da01

SHA512
5e963dd55a5739a1da19cec7277dc3d07afdb682330998fd8c33a1b5949942019521967d8b5af0752a7a8e2cf536faa7e62982501170319558ceaa21ed657ae8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
a8d3210e34bf6f63a35590245c16bc1b

SHA1
f337f2cbec05b7e20ca676d7c2b1a8d5ae8bf693

SHA256
3b82de846ad028544013383e3c9fb570d2a09abf2c854e8a4d641bd7fc3b3766

SHA512
6e47ffe8f7c2532e7854dcae3cbd4e6533f0238815cb6af5ea85087c51017ea284542b988f07692d0297ebab1bad80d7613bf424ff532e10b01c8e528ab1043a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
7937c407ebe21170daf0975779f1aa49

SHA1
4c2a40e76209abd2492dfaaf65ef24de72291346

SHA256
5ab96e4e6e065dbce3b643c6be2c668f5570984ead1a8b3578bbd2056fbad4e9

SHA512
8670746941660e6573732077f5ed1b630f94a825cf4ac9dbe5018772eaac1c48216334757a2aeaa561034b4d907162a370b8f0bae83b34a09457fafe165fb5d7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
8375b1b756b2a74a12def575351e6bbd

SHA1
802ec096425dc1cab723d4cf2fd1a868315d3727

SHA256
a12df15afac4eb2695626d7a8a2888bdf54c8db671043b0677180f746d8ad105

SHA512
aec4bb94fde884db79a629abcff27fd8afb7f229d055514f51fa570fb47a85f8dfc9a54a8f69607d2bcaf82fae1ec7ffab0b246795a77a589be11fad51b24d19

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
a94cf5e8b1708a43393263a33e739edd

SHA1
1068868bdc271a52aaae6f749028ed3170b09cce

SHA256
5b01fe11016610d5606f815281c970c86025732fc597b99c031a018626cd9f3c

SHA512
920f7fed1b720afdb569aec2961bd827a6fc54b4598c0704f65da781d142b1707e5106a459f0c289e0f476b054d93c0b733806af036b68f46377dde0541af2e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
7dc58c4e27eaf84ae9984cff2cc16235

SHA1
3f53499ddc487658932a8c2bcf562ba32afd3bda

SHA256
e32f77ed3067d7735d10f80e5a0aa0c50c993b59b82dc834f2583c314e28fa98

SHA512
bdec1300cf83ea06dfd351fe1252b850fecea08f9ef9cb1207fce40ce30742348db953107ade6cdb0612af2e774345faf03a8a6476f2f26735eb89153b4256dc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
e338dccaa43962697db9f67e0265a3fc

SHA1
4c6c327efc12d21c4299df7b97bf2c45840e0d83

SHA256
99b1b7e25fbc2c64489c0607cef0ae5ff720ab529e11093ed9860d953adeba04

SHA512
e0c15b166892433ef31ddf6b086680c55e1a515bed89d51edbdf526fcac71fb4e8cb2fadc739ac75ae5c2d9819fc985ca873b0e9e2a2925f82e0a456210898f9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
2929e8d496d95739f207b9f59b13f925

SHA1
7c1c574194d9e31ca91e2a21a5c671e5e95c734c

SHA256
2726c48a468f8f6debc2d9a6a0706b640b2852c885e603e6b2dec638756160df

SHA512
ea459305d3c3fa7a546194f649722b76072f31e75d59da149c57ff05f4af8f38a809066054df809303937bbca917e67441da2f0e1ea37b50007c25ae99429957

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
39551d8d284c108a17dc5f74a7084bb5

SHA1
6e43fc5cec4b4b0d44f3b45253c5e0b032e8e884

SHA256
8dbd55ed532073874f4fe006ef456e31642317145bd18ddc30f681ce9e0c8e07

SHA512
6fa5013a9ce62deca9fa90a98849401b6e164bbad8bef00a8a8b228427520dd584e28cba19c71e2c658692390fe29be28f0398cb6c0f9324c56290bb245d06d2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
16c84ad1222284f40968a851f541d6bb

SHA1
bc26d50e15ccaed6a5fbe801943117269b3b8e6b

SHA256
e0f0026ddcbeafc6c991da6ba7c52927d050f928dba4a7153552efcea893a35b

SHA512
d3018619469ed25d84713bd6b6515c9a27528810765ed41741ac92caf0a3f72345c465a5bda825041df69e1264aada322b62e10c7ed20b3d1bcde82c7e146b7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
34d991980016595b803d212dc356d765

SHA1
e3a35df6488c3463c2a7adf89029e1dd8308f816

SHA256
252b6f9bf5a9cb59ad1c072e289cc9695c0040b363d4bfbcc9618a12df77d18e

SHA512
8a6cbcf812af37e3ead789fbec6cba9c4e1829dbeea6200f0abbdae15efd1eda38c3a2576e819d95ed2df0aafd2370480daa24a3fe6aeb8081a936d5e1f8d8ed

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_da.dll

Filesize
28KB

MD5
d34380d302b16eab40d5b63cfb4ed0fe

SHA1
1d3047119e353a55dc215666f2b7b69f0ede775b

SHA256
fd98159338d1f3b03814af31440d37d15ab183c1a230e6261fbb90e402f85d5f

SHA512
45ce58f4343755e392037a9c6fc301ad9392e280a72b9d4b6d328866fe26877b2988c39e05c4e7f1d5b046c0864714b897d35285e222fd668f0d71b7b10e6538

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_de.dll

Filesize
30KB

MD5
aab01f0d7bdc51b190f27ce58701c1da

SHA1
1a21aabab0875651efd974100a81cda52c462997

SHA256
061a7cdaff9867ddb0bd3de2c0760d6919d8d2ca7c7f889ec2d32265d7e7a75c

SHA512
5edbda45205b61ac48ea6e874411bb1031989001539650de6e424528f72ec8071bd709c037c956450bb0558ee37d026c26fdb966efceb990ed1219f135b09e6e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_el.dll

Filesize
30KB

MD5
ac275b6e825c3bd87d96b52eac36c0f6

SHA1
29e537d81f5d997285b62cd2efea088c3284d18f

SHA256
223d2db0bc2cc82bda04a0a2cd2b7f6cb589e2fa5c0471a2d5eb04d2ffcfcfa0

SHA512
bba581412c4297c4daf245550a2656cdc2923f77158b171e0eacf6e933c174eac84580864813cf6d75d73d1a58e0caf46170aee3cee9d84dc468379252b16679

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
d749e093f263244d276b6ffcf4ef4b42

SHA1
69f024c769632cdbb019943552bac5281d4cbe05

SHA256
fd90699e7f29b6028a2e8e6f3ae82d26cdc6942bd39c4f07b221d87c5dbbfe1e

SHA512
48d51b006ce0cd903154fa03d17e76591db739c4bfb64243725d21d4aa17db57a852077be00b9a51815d09664d18f9e6ad61d9bc41b3d013ed24aaec8f477ad9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
4a1e3cf488e998ef4d22ac25ccc520a5

SHA1
dc568a6e3c9465474ef0d761581c733b3371b1cd

SHA256
9afbbe2a591250b80499f0bf02715f02dbcd5a80088e129b1f670f1a3167a011

SHA512
ce3bffb6568ff2ef83ef7c89fd668f6b5972f1484ce3fbd5597dcac0eaec851d5705ed17a5280dd08cd9812d6faec58a5561217b897c9209566545db2f3e1245

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
28fefc59008ef0325682a0611f8dba70

SHA1
f528803c731c11d8d92c5660cb4125c26bb75265

SHA256
55a69ce2d6fc4109d16172ba6d9edb59dbadbc8af6746cc71dc4045aa549022d

SHA512
2ec71244303beac7d5ce0905001fe5b0fb996ad1d1c35e63eecd4d9b87751f0633a281554b3f0aa02ee44b8ceaad85a671ef6c34589055797912324e48cc23ed

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_es.dll

Filesize
28KB

MD5
9db7f66f9dc417ebba021bc45af5d34b

SHA1
6815318b05019f521d65f6046cf340ad88e40971

SHA256
e652159a75cbab76217ecbb4340020f277175838b316b32cf71e18d83da4a819

SHA512
943d8fc0d308c5ccd5ab068fc10e799b92465a22841ce700c636e7ae1c12995d99c0a93ab85c1ae27fefce869eabadbeafee0f2f5f010ad3b35fa4f748b54952

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
b78cba3088ecdc571412955742ea560b

SHA1
bc04cf9014cec5b9f240235b5ff0f29dbdb22926

SHA256
f0a4cfd96c85f2d98a3c9ecfadd41c0c139fdb20470c8004f4c112dd3d69e085

SHA512
04c8ab8e62017df63e411a49fb6218c341672f348cb9950b1f0d2b2a48016036f395b4568da70989f038e8e28efea65ddd284dfd490e93b6731d9e3e0e0813cf

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_eu.dll

Filesize
28KB

MD5
a7e1f4f482522a647311735699bec186

SHA1
3b4b4b6e6a5e0c1981c62b6b33a0ca78f82b7bbd

SHA256
e5615c838a71b533b26d308509954907bcc0eb4032cdbaa3db621eede5e6bfa4

SHA512
22131600bbac8d9c2dab358e244ec85315a1aaebfc0fb62aaa1493c418c8832c3a6fbf24a6f8cf4704fdc4bc10a66c88839a719116b4a3d85264b7ad93c54d57

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_fa.dll

Filesize
27KB

MD5
cbe3454843ce2f36201460e316af1404

SHA1
0883394c28cb60be8276cb690496318fcabea424

SHA256
c66c4024847d353e9985eb9b2f060b2d84f12cc77fb6479df5ffc55dbda97e59

SHA512
f39e660f3bfab288871d3ec40135c16d31c6eb1a84136e065b54ff306f6f8016a788c713d4d8e46ad62e459f9073d2307a6ed650919b2dd00577bbfd04e5bd73

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
d45f2d476ed78fa3e30f16e11c1c61ea

SHA1
8c8c5d5f77cd8764c4ca0c389daee89e658dfd5e

SHA256
acf42b90190110ccf30bcfb2626dd999a14e42a72a3983928cba98d44f0a72e2

SHA512
2a876e0313a03e75b837d43e9c5bb10fcec385fbb0638faa984ee4bb68b485b04d14c59cd4ed561aaa7f746975e459954e276e73fc3f5f4605ae7f333ce85f1b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
7c66526dc65de144f3444556c3dba7b8

SHA1
6721a1f45ac779e82eecc9a584bcf4bcee365940

SHA256
e622823096fc656f63d5a7bbdf3744745ef389c92ec1b804d3b874578e18c89d

SHA512
dbc803c593ae0b18fd989fdc5e9e6aee8f16b893ae8d17e9d88436e2cd8cae23d06e32e4c8a8bf67fc5311b6f2a184c4e6795fed6d15b3d766ef5affc8923e2f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUB680.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
64c47a66830992f0bdfd05036a290498

SHA1
88b1b8faa511ee9f4a0e944a0289db48a8680640

SHA256
a9b72fcb3bdb5e021b8d23b2de0caeca80ddc50420088b988a5b7503f2d7c961

SHA512
426546310c12aeb80d56e6b40973a5f4dffef72e14d1ac79e3f267e4df2a0022b89e08bba8ab2ffa24f90b0c035a009bed3066201e30fe961d84ed854e48f9c5

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
6.8MB

MD5
ee40308e2ffbc9001db2324ff6420492

SHA1
47cabfe872311f65534cbd4b87d707ccdef559d1

SHA256
38cd32dedb5c8c2af8ecd56827af5b4477a4b9ca3e518199d389a261baa999a5

SHA512
5f5fd0db005d49d63eaa81b288d2d6d40ce9c84cafd1c75d33723e47f23341d5ff254c2ed6274790242ad53f5360467d121cf1196ec7a073d4506166248041c3

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
610b1b60dc8729bad759c92f82ee2804

SHA1
9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

SHA256
921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

SHA512
0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
5a4ce3d3952b188a318d9ddc3113de0b

SHA1
4d2595f519f4d34cdd0ebc181ccfddc325557311

SHA256
d61896ef36d02155a41835388bfc8a7490876eb686b36c563b25b77d3c0575ad

SHA512
5a6f6215922fa2e14e0739f5f2b44dcdc073a74c2b006460cfb924c9f1befd9545ca22572a5703376479339f66464a89db37b2a472d97e41c9d795569639abe0

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3f9019ac-1e85-4a00-a031-05833234f4c9.tmp

Filesize
9KB

MD5
a178c20d4793b842b52469957572c5c9

SHA1
89153e90e67cdb2ee780d48f9171e41300973fc3

SHA256
9f22a403d7e5f39002bc4c827a1cf62a61646244f2a143f136eaac8f92b89a6a

SHA512
969edae65b8c51061024f845a48661e4df78aae420fa8e1b0d1eca381c24b8659277ceec1a3fb774860a7ef006099e98b1d3d35594ab579793b5f249c19e6f6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2c5686cd96b86b4ae22d91331264e081

SHA1
1c570862dc4833831795deb55859da7b5e83c465

SHA256
4e1106f845e00cbff16c85d63d16740b353e183c92f653c81a60d18ca3081359

SHA512
1890153a39a2417b90ab107028cb532cf81b7e207f5eb4b782e575d4be211d208aba5d2e37614f0232a9a933be45e1a14804a310616b61c77dafc3d1e0c389e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
72KB

MD5
eefb3b7038040a2b45001d9b00e3614c

SHA1
64f409fcd8dba116aa15366783133833ea2e29e1

SHA256
d6def6ae11d1cf9bc2c244af00ffe3c6161263c26212e4009c613a02c8a9ea76

SHA512
d463a84948b07ac2b1c51f471e21e592f84b249f6a0f58853f3e38a357068b8a6e9d33de1146e187bee9c586bbb3525b7397f2f1b4f2a2c66d784e50385bc121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00006c

Filesize
20KB

MD5
e92faff58b6be9dba9bc283c4f4c8513

SHA1
49588273a413dffd248cd35dd191189ed2c2343c

SHA256
8c6c6736f4650f9bf7af6fe14128a3d173816f3dee2e02c5552240c04852b691

SHA512
52ddb77b600f519eed2343d528b9c9bc03585c82edaa91c63e8850d19be23c2f645bc8faea19c3d75ccffb30e4e69a3605883106fb1783346a8883465051643e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
008a08757a678d8d341d87b3ad09bcab

SHA1
b9603f492a2372a58b6c0cbca0780bfbde4bc299

SHA256
1ae9e7658ede1784534737ffcbbd21446742aa15342bf9308294d144350e4bdf

SHA512
cfac2dae33263ba3cc2193c3683e1bc35cf680f80e5f938f26509e3253d1dd60fecef4294130858e7208235606f1e4b5b26e37cfa65f75a3fdf47311ff70f96a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
5af57aa8923193b08e79bd75b57e1478

SHA1
e89ce11b9f9ad69b1fe1342697aa2904c978cb84

SHA256
a280dc8e12672c6ce50b53fde7be6a1a78b54c4b18f8b4b0402288264f6bcba3

SHA512
4faf3f122982a5beb616132096647fce84a8211fb75e61a04dd7f2835590ed2932dc079c271eaf27f2d48e8ac4ec0644699e7e23d2c9b5b495300141afd35028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
17302831418c816493dc32b6b95117a6

SHA1
c3fd892266f910e24082749146e5a5ebaf26dedb

SHA256
314c73027056bf1d2cef405ee9921ce516feea55ba3e866e98d1a3d4e0a8f93a

SHA512
271e5927b2a117a062b47105d9e9464b523786f6ea8e057aeaa3b0da87f08fdf91a8030a4a191f5389b352b3777a1d4cb8454bff743906bc1dbe48ed551cd0f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
896be7835927383160cb924c80f2ab1f

SHA1
7d6300b46d95114fa68f86b583424a093792cdef

SHA256
d53fc9b7f4398ce72b60b4f278bd56e95b574d1054792c9530df50e62e34544d

SHA512
758711cc7bd07eecf0df506494d2412058f4e8f617c34d7c74a7884e28fbe92baaa8f21f8f701dd6687060f37b81f17167b02c19b8e503f9fc9dbecd833c3e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
ecac7cee14a392ee781a8eb4c63f22d6

SHA1
17e1529eecdb4a348cd3140a3ea218c7ca2ae190

SHA256
033d3f33bdf45d43b8fe998e8f5ce6b3a851df72375cba23c5673edab5248e3d

SHA512
a7e86783292953774165422fd4f4321b66359419a14120fe30223fbd9de0e68a2eae047598681b81255e520700b4eebef211e5a478cdd9eee781cbb7c4497ad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
6006bd8147cda2c013afb682748d86a1

SHA1
ac690db76504961e06af06e0d17d4020306ba7f5

SHA256
b7d0b245ce031d34a43da09e6079f8be1c9ec0055f81e171a545d4b05334db11

SHA512
1262082986cd942083082412b583c930a04b0bf5beb2b851faee6b58b1fc93e40089658000fe2c6a28529c823cc704e94e95d4c9a609bfc52860a13b9fe5ceb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
41f0f3016872583cc462b23dc69ad7e5

SHA1
2f13bd3520e51bb1421c4715258898dc1404196d

SHA256
df887507a9cea07714c385edd589dfbb95367fd47177ebc4f93cc7ae16986ae4

SHA512
7bd5e7d342c3c26c3132c237e703b590f00a3ceec30ebfdcd4ebb48f853fff3227208c5a16194d14f27f853a4915c16e571ffa5e844a69502d908fbfc9ed36e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7a40c2db3c192807b9ee1bddb3fd76ad

SHA1
649cc78304d647d0631f3e649aaae92bd47ef053

SHA256
c4e9108b64a7dd443d9c8e3abc77325ce392fc6410af86cc41a6b17424ee7e8c

SHA512
e7431dc5b8d86999f748e296703a646aaaa7d8675b858427b48ed18515ab162c7d53c19df7307ad0ba55d759d9a8a82ce6098abf6d27a9aec25e04d38f745b92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
cea0710328dd19cc7fd049a7a109e73d

SHA1
a07d887cb8ee93f8d77945a4c4e23d75823e445d

SHA256
e2938155715133696c827dd0cc3e7b85d753f7d6416ced221a7fe2f770c01a64

SHA512
1e902537875e7a19aa5ee29e3c496fe8a26024f22bf2f8db001d263a97b292609de425a8ebf0d106b0ff109eb5102a39a015d65aa2b141e9a1c5e3dad0499467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
fcecaa640578d579cf3b376585589716

SHA1
f85fb26da090c3d1faa34bd0a1cc3a6812cd353c

SHA256
a6cbbc592bdc02d1ac5db0ac7c682b370d0e3090c243815e9a3bac00d668d26c

SHA512
f67f14db6620bc66e16258b2b2a4c8d2e5cd2abedce9b091a6d1e6e93740f2f9645da132c646eb728f1e40aeef99590a65f835137cac40a6e05eeb3f6004fbaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
85b379128fb7b3241c7e56c2674cb7a7

SHA1
fcee3e61cc4ba43b7274db36815b69aa9d2c5e9d

SHA256
46f2e54128e6bb69ddd01a471b14f54bf7dab5016c75532ee6cec3d191a093b6

SHA512
0d54b2814bbd53e95d0c9dfcb77dc56a1b5022d75c98cf33405658399fd6cc1f864089f471720e789c1c01899991c09fbeb8a7babef491fd66ca24ab654dfde7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
bcc57a44468ece28fbf58b63f7656ccc

SHA1
b903316edcdfbea5c840ed06ee5598a14eba0095

SHA256
30b7bbc36cb8d8a0ad9eee0dfef7c0182393ba5bdbd7ae8d7321a860e0f6f403

SHA512
b5e3fdf55d880c63eb8feaf7e2b9a74a8821fb53b76d31148d4b9490afe8abb44055be2787e6737ed65c52371014d5f15153dd157026f6e43d74f822663e159c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9adff6556adf4a2d78a716a8fa9281dc

SHA1
68f858c01ef033bb7bb4a0523e32038e842f436b

SHA256
4d9d5dfa5e0603f8a4afbab9d3e866baeaa33e72748c8f4937e31a249e7600b5

SHA512
313e73d4ffbdb8c46b90305d511f03688757c68b80b5e2231f032afd59165ccfbd5164d990141a3740a15c6c59564a70db7faa5b9ade24d3b126c7841a0e8262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b0a1dccb1b50d8d54d120534bf179ed6

SHA1
055b04387eb294667ae6ee0c41b328b3cc1cdb96

SHA256
995caa8ff5c9cb5501701721aa389f9cf3562063a9e5ac784579aad3fd079487

SHA512
95805db072930013199b98c49dad000095d8d3610c2b093919626d1c4b4b328b717375efe6fec58b3f2810a1a56e46b91d72fe637fab5ad29180e2dc127f7734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
72d36896a7dbabda509e40d306d05ffd

SHA1
95e70bf09bff486dbfbb3794b1edf11b07bbd384

SHA256
833db6f2cdb14aea999776118b056069a8a9f79dcd96b16db0d362609e17aa21

SHA512
a9c0a278687cb36c194b910e3bd7eef9b90c198bc6f524701feb32f073106039bcbe0133e17c336b7cf9f61a1ecf904a552aadbd9b71f6e3ce56d5e3480e2f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8e208106f1aefd96fa26d342c96395ae

SHA1
096921e40db8576576b20879fa7c474aff5aef26

SHA256
900704382e5a5005d4984b8cf3de07bf6f64d9fbf9698ed49ea35e38901c7f56

SHA512
a174cd426a52333450d229c9c470ee4eddf64b01aad070f380066e66ecc3a53e39c0d0b43f00e73ff26e977f24f2d5aae331e3c913d23bc91a25fa51a9f1bc62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ebc29768785fb267041eb43fd8dbbb8a

SHA1
2a7632d623d0f0c781d6cc0358d45bfa8fd92025

SHA256
177079cedf69647294d8deacded486ad75ff50b6182818409f8b3db9442fcde4

SHA512
91e22e77999d1e90285fd5c0a965f8b65d3c107913a9215f5be2e349f6aabbd0358965536fb2ea6a5fa5131d65764dc14c1bba952b2ae9e61d0316ce7a3bade2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
23c2f20e0d7f63905155b403f48e50a2

SHA1
479499ac19bf8bb3a99069236eb8e5b7398f6386

SHA256
632b411134e0ba544de8c8de80b9df596113a8819adc32e8ccafadd32fa78daf

SHA512
3947fc40ea75945fc49cd4d01b66f39ef51eb071606ccb59c95cad5d1a722524272daec647b951b78aac319981fbae6baa260fc14a9b3a3feae2b4873b208455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a30cc1a9e8dfb4ad7aa3097e5018b676

SHA1
183d21157fe13c702fabdc07b05d262485c9fa96

SHA256
ee573c09813ac51a8677d74098bc124d7cfa35ede9794c59c2dcfe435e681c86

SHA512
57df3c016595f24171985737d077a007c3bbc740e2a7799a0bb66879388858b3992c6e58e7860f3bc1d4e0e2a4b8c145f791ef497aa498b649fbe99b5dc91d92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6d0da047878797bcb0b8cdd4df285373

SHA1
0ed4170771290e2ef53e752a3999c1425cbdba6d

SHA256
7ff292682280585a96ae4e455e70312a96ebf8baec9668dff8ebbbea96498232

SHA512
06dd90e2f06800ccf5fab127051ae3d5aed1f1770d25699c85d7588c07df175de144f125b365d059fb34cc6bbb3083194d49df2d273f89afbcbf0ad6e6fab50a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
70e6979db0c8f3a66c6c82e304a1b10d

SHA1
67d81f274b015a6562af8c10590c721a5294f22d

SHA256
37e68449d2fe5a391331c63d6f434354311822a43ea73cdcc43de4234aabb634

SHA512
94bef94c052d26d42ebd75c30bd183c48cad3c331e48d0bee5ee0c6c011447119ce809cd80c7d96b721fae9819d6dff28942917072afd0ed9bb46c3455296595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
85a045ab1a65b36971a068d5fcb9d8f8

SHA1
2e83acdee2958a674be84cc21983edcf1c323138

SHA256
8b946eefd0673b372010664279306840f93cc54917a9ace681fc3a7887ef3975

SHA512
93fc88bd9e07de8dc34fab708bdb69deb30f08b8dd73bfff189525f3a60562166dc1504735b26444e852ad9bcffd8e79c69b1c963ab9dbe55318801b7914b991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e197b736342f121e0fa56b25d1e41ebb

SHA1
e4eda30cf2b5b8ef8ce6868f77356577255a2ec1

SHA256
9944e6a8cfa3ee7aea0eb9aa5d3cb1e7625902cf8594255457442bc51bcf3604

SHA512
eaa855e6fdd479215c7b7da319d5fa2a11312cd77e417fbf4cd525f1bcdb1f9b2783a1911c0e51651e4b8978c788ab0278c426ab4c28f27b66424651be5d1c57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4f1be2c44a586354e2c5d9e6e9003cbc

SHA1
4483d586d66117f447683995b89384d18d74c9af

SHA256
dfe153d32fb576ac75c7c01cbd55117a02ce1da39e1f9c3d320730d9d1ea5fd5

SHA512
47fc41636b69142fe0ea09724ed38241df0d220df02252c3ba9260d96880aca1b6966103127c123f7958bd91e8364e418ca8aaadd9b5cbbed23b878391406a9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4da8f7918806eea9b981ac1081a90ce5

SHA1
d24461c6429d7127551455b61c7ea3d44d340071

SHA256
505ac34248d803cb78192e0f9851467d4bc89983aa23e395a91eb29e65db7192

SHA512
967d8d4c4f2ae87d92502b1fc28d9765e736bb4600f7fa3968544cdfacc92a293efd288870369473b815f36cae325a345aa90f50144f6f3666201493cbbf66dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b0703d1e133f52c6819d29f0fc69c0d7

SHA1
fe9e1a7b7e8101f999386644c51a25447fb99e44

SHA256
6e649285d9669308e895feb8837dfcb57b29cd92ec3c4914079936dff190faf8

SHA512
923615e44df31ca5a59a264092863656c0d7e889785b520d25141c0c1d9e9fd190bd7ea9556faa7c5d8b39850fa8218324fb53d6b8b797c518877ae57d9e0789

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
44291178b891c95317238c0193fd6a58

SHA1
0a358ae87acd4212f46ce2eca2015dc9b24ff2c8

SHA256
0ac7b1c40fb65b199ae7625397580c9dca6713398c59abcc70c70caaea196299

SHA512
01806efeae4abf0fef1770adf419d8c42f54562e1a704d44ec5f92a9ef8db0fd5e393505e852d0eb4eb0e12f5f0f1b97b45464aae9a2afe508b63a44c8018a88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1d315d1d262250d95df9c70fae47d259

SHA1
c8db9bc9972f5eb2a6370a98929bba3c8968a01d

SHA256
0ab488286949b1721a9e12f2be74cbbbb6a9f0de2f592118f082c688bdba4990

SHA512
84d243749028b9c9d6f4bdce4cb2f2ae49232faf5b8868b7046d3ebd25bec3c3202c6efca235424788edf2a9eb2a1af8580e752d8cc9abb70982331d9d1822ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7ecc05c570f8f72dc9edc69325d8ff37

SHA1
9c2ebc9fcce1137f3a7951bbd434bac86bea1840

SHA256
0814ff057f73bc2c618d3e1287210d61523b9054dcc47b501de29e5b98f104ca

SHA512
e26b51becb0caa5fc4c1e2821f5e6673bd7930781a716f4a1597895f378638907794ebc48a568d96959443bdd17d1cc00bfa72ed06142046d2f1c599b62185e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b5f0bd25da3a6d7551d8446f059be814

SHA1
3506e8b015ce71c2b70bef16b24ddddbd46f6a53

SHA256
04e852df86ff3eaca43b05f95ce4821b3f9be2091cd062314c6ff98a8adeb908

SHA512
f01494e75ee8fc1834f77c911ee50f68725412fe98e2b69b1fbfdf4dbafaac40f478c08ca33dff4f4911e2f6052aa02e45858a83066c34b94b27d735d89e0a10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1ce0967a0fe369a6211e6c197f492cd8

SHA1
460480f1d3f8fb8a6aca5044ac6e9db580809aaa

SHA256
65b84fac5ed22ef916c0a4c479bcac3d80c0294d98a202cdbac51c95902e1940

SHA512
db489245b2947cca9929ce35371bdd286e2287cf3f4ee8e0b126802c6a759bac74412e5dba4b0cb0a66c58b9441d914116e3aeb5e3238c9677a4f53496c31858

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
26bffa62aa971b512710fc32e2ba8e66

SHA1
db24dd312f9cef9ff16ec40d407edfa4b4eb9297

SHA256
71944e3521beca3cd3cf9dc152d089ee821ef6791432cbc7b6b1ebadca148adb

SHA512
4400d6589755d263fba115fb05400d514c35179599ed426466f505a3ceabd0798e5eebfac72fcb91929d4836533cd8e1ce301b128d86f0a810218fbbd72a927d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
52f33da359cffc93fd33732d4acdc40b

SHA1
ef67a30b2130db51690a5987629e8b5892957dfa

SHA256
7af3753322430b79c32ca1224aba095a6767d5f7e772f6d9360fcf0cc5f10b70

SHA512
dbf9497f17f308a88d1626b49153e595a0b2b8a678bcbe47f51d64987658cd69bfc66f764cf13a9cd88dd002091e4d5fc7c4c135c30dddc35445e97c2f958d4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d1e38cee2dbfa5584cc71faa2ce71a1c

SHA1
4879b9daa63c941f50bf11d1b845f9e8846a2045

SHA256
3db59b560488e568bda0c7908417641ad2ef46d3688d5523f52029bd2cc1c4ef

SHA512
9fe904c49595f8eb3287e400729cb2b8aa4b4b319a4ec02017350de209bfaac9af99bbbdd43eb40b1fd3e5ea89e77a1c82e8ea2d95cce84606a82a1f2c6665b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f1a508a4f37aa5892d7b9f41514cffc7

SHA1
3ac7be810fa98ad9e810e910756ea32146389f89

SHA256
8e7e1f03a7e39907ba3a8749e4daea947b246e2d82f8aeb5155f675c1e056753

SHA512
da53a18170bdce9b1ac7258022118921ba043983ed51e70c941a1c260d4f29d5c7a74d569a02bfbda87965aa9574ce5455fec9e06bea9e511b49e3b9d725b19b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
dc270fe2f1d82b1461221aae265d6f70

SHA1
7fd253f74fb67d0496b7533b9c7591946aadd024

SHA256
9f418eafaf5608ed28136e911b9c2003c16cdb12be0926161c475756278c8110

SHA512
b52877be36b3c9d6aa8775b844c162bc688021b41399ced5dc619a52d3801591a82b98b632eb749353aa1f1a288c7f024e322e62a0617b8392fccfc0e2c82ab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a493e329139e0235fd310baf76269fee

SHA1
5c3c9a779f630e530dfd7ec6730248befc41c35f

SHA256
ed35c3e35b8cfe79fd1383138ca853dcad12e63b9c6945c8386cba25d54a1487

SHA512
6d33c32fc8c9b0ed8efc47f44ebff234070513806f84fe16094908ec1145b2635c6fca08c9462b8cd5e2f690fc4d0654342ad395afcaafa81a50d555a97cdb79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b74b6fa2ed8dc3e1c657a571155672f0

SHA1
88f7e2543b1275fba3ad6a034ff72cfab8744beb

SHA256
82cd151cd616f4f62bb6112c87ed49eb32849e73060c091f08378444eb758d4c

SHA512
34b88e1d40501409d9ef42d0ba2bba56f4978b300223458f9a9520b7e31ec82d079292f715667d4a739cab493e52506ebc7a94ee096e0b6ba16c9edd86055b86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3e65eb60b1360afbb3728bbf1a0dbd0e

SHA1
7ba49e451661372d39c550245c319aa3a0d38374

SHA256
d57db4925e862ecc30fa30001787b988fed9431401256bb2695e41533b6e6d0b

SHA512
ac1640ad3a5137ad006418265071547a6b984a32d64618d2be2981d448469686c5bc20c393daedf9de3680d3e00d992a5d4ab1f4513cbccf9e77fa36e33d3d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
df9bf0a23dceb16be15d552cdce5da6f

SHA1
924fc92363253af64fec42deae22ad793cd4696f

SHA256
b2886c01942508941a9e692d221a032ad003845a7b5bd8bace93a6e380c22b5e

SHA512
430b9e5cd032ea2399996e1b4c69668616dc5ddc2124b45b1801021281464f8081c4641075c4c7766c702d68fb5c1e962f40678cec6687dbd6bc838c44e0710b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ea252b13ff910c492a92138c87563df9

SHA1
7a2a09b6c9c64feb74844a55f69d3af7d83fd56e

SHA256
5c3abe2d32d91d703ebba4e47e9ded4c1395b8dee2d79b92f926054d52b8f7cf

SHA512
2ba3308e6445046d6224ea27b3f01f900173ca1773eb57280dac00df934b446c86924631fd2827741a13ee27dd5404b9ff540a901c6173c67d7ec529548743b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
eefbd56031d4fed8a92a26c299035145

SHA1
8d7896818fec6231aa9f4c72bf9bc3e471af436a

SHA256
0a998e5e83018ebb021c7afa07ca37de0079f8dcac1dee680b84b21107785b5a

SHA512
305d47e372106033909087b5caf32b3e6bd8c0dd577ace288ebff75533d8609a68335007922e1b56667527d5c5af6f0c38f3655a4bedda936ac2f6da5686d1e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9485f10ac3a3781043bc7327c0ec148b

SHA1
ae9a6e01187a1bd98f8ef71a07197b179c9dc10c

SHA256
fbacb2877e70d4f969b7bea26539072b0243ce7a4edee7d7c9302959e26cd2a1

SHA512
4a4f8463761e1d8c434fe52f4c14ffdd12d760ddfdd68728c715482105322bc9c751fd80d7edc5e1d324a1c4bd74ffd788c2ab042510f267fe50cfbe782881c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
295d865dfbd5a6137cc16af04e647303

SHA1
8d646aeaf94c4b7f26f59a5da12708987b6d113c

SHA256
7d4d309945663c30e75ec3c9f591da3d1ec51706aa6091e8a8597278ef62f6dd

SHA512
5de6c9b5c6643a2b65b4456f9691b1e89e1d91ea7f6d688c0f130663e3773356f86f3f4d3eadc908654880931c210d0590e9263ecd6182fe694ff189a484537f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d13b2d6e5b481fdfb0b7c96c14425869

SHA1
1e45fa0e9ee3ff2b94441e4ad6545ac93982c2fb

SHA256
6cc3ef620802610a193ea3ebe2ebe4a4993ffeb0252e8a579ef79a362d9fa41f

SHA512
40a407100cce062ed58eb3af84e3311548c8bf0e7c5b6ac217f3c7e17c8531a0de065c6c41e1707fb875d2991ce26545cfcd4d49f1f58d4b4231d0284b6330b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3619d9900b84e1a934f599c394812648

SHA1
9e3f025719f8a1034e88ce7ca190d0ff3a831545

SHA256
0059717c6edf52f53749c3d21f326c4def92955d12b281cd700191e027481c80

SHA512
0c37642a91c010b0141ffc30d5b926d746f7beb21fdb4d789b98633f955e8b1ee5f6ebeaefd96cad6b62e6477b8ec05436caa973e04606241fe9f09e2a02b6e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
83093ac90a2b7eddba2a3c48d17e2456

SHA1
8ca7293298c421ebf8069fb783abc2fbbbd6629d

SHA256
f85cc6bacfa1d3ddc580606477607e1113745cb6c957bd8df85fb69c2160cf45

SHA512
ccd05db2af91516dc01f0775785e939f51ddf739a8b08e4ad6b4fca185b2e0a7d48fec54528d697e5010fe20127ba616b6174099a5fddb9347897084ba24c00b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
72c7db088adbdb1f79401b96054ed5ea

SHA1
c915a0705dc41700f368a9e348bcc2e2970b5c09

SHA256
82a22f2a45e471ad3b7126dc1476c2dc4cb1c447c69524ca09fe1b97223572f2

SHA512
922e246660463bc8d24f0028ebfb73a56fd809147fae87a9314954ca2b0f1559a179ed782d586eb5e9e27eb96f810f95ee48d8cf4c70da739b72c3ea527dca50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
102bb75d41299cedaa6ce6a6102dee65

SHA1
a01661bbbc5f5254157c1c0e6f982d27ad5cc624

SHA256
bf0970140a2515c1a055432bdc04f95af3a8f68c598d214b304ae916fe31f4d3

SHA512
7e9bc557a7b26445a0e78f5818cf06f2e57b61fa83634d45a85102a1143c684de1ad728065dcf3cb9a84a0a7b054fed5edfddcbd02b9f2571e5775ebc0e0d0f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f09e0b9c3cb2e4343f55045170fe7c43

SHA1
e298223e451e3acb8eaa58982c3fc6b15c98e694

SHA256
0e508d612c069c14254c6b723fae6c353b1f40a62f961753054d994607209ea6

SHA512
2c1a976a819906f6a97fc601fdfc9470efe6f731bd984dcbed45f7110783aff74608777ddc28cf8c7b6bcb723106a1d54de8b6046c36bea5c7f812f44ae962c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f132a2d069c01a65989553ed1e8a0ad4

SHA1
788a22e05533c3c1c672611fb41ee78507740394

SHA256
58cb9c6d6ec13ebe5ac9ec15de58fb4a7c1a954419cbdcf06b3fde07101afddb

SHA512
a2d3c3e2daab9f65f2580c5ba6d3871cb1ae52338b6103b0b50d34011d61812b1f22ff4905480c2fb2140763d5204d58849244473cfd75b4384b992f24352655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
839ee865924c2fd795959170cc13727d

SHA1
61f681bc7c09cc1259dec49461a0dc9691edb0e8

SHA256
62cdcc4561c23b348b91b6d36af7fe6d1184b6c4bafab42fd7ff5da62409f1dd

SHA512
cf45eb9c0f7c125628b03421033a2aeda973292c103ebf5c20a94e873a9198c7f537f703936b83cf95cf6c9e91bcff227d0ba323f534d345c4e5aaa93d297969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6a6c0265101903ce145c6f3b3bd5104e

SHA1
a9c9421fd56faef2f8c6a5b9d6599aaec4127c92

SHA256
a16083129a3b031fa15556785d93c26fd9937536ee4c86b37f371700313f98e8

SHA512
532d26e137a957329ef718b1c4217bc6bcbd83e7621be6d8e06c901a88f5aa221f6249fe0ddf2edb922a546e5fc78c6e5d451105ec90a12e2c565402f209dccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0c6005b5b2ed36db6ab21b7d8c125cf2

SHA1
f03d09231e77da289aa314395cea81d7916394fb

SHA256
15e653499fe8faf7c6271cbe3a4698ea66324c0190762146d2d76c6c8573b569

SHA512
7cd967195145f0b543d3c735e37ab1ed1011f1eb72822ade18bf20429e3260bf62cdec45be33c967aba3fa761032a8794a6e903d0bdeaf617c9c52d0ce2fe554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
828c0c97c3ad7b16341c0b775184b391

SHA1
fac86b48d2a16965e061b6f325e49d1259611631

SHA256
b5f1441fcf326431b6c832492d3ffdf317b63120f54dafc982791a66171a7626

SHA512
53a037230d7d976b7842d2374879b83f6ad54ae3a6b15d86b064960072c76b90bb34298c2b6a0e5ecb5931bd98494e08443e1f07028769d3c1e1a57c56d698ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
45329bf6a607d4be6fae5fcfb7eec9df

SHA1
86a2d268d70179d921ba864e8c09977fd3d56585

SHA256
a4c1940ee560423b58d138fc1acfd18e27a193ba00762efcd1ab3de26fdd14be

SHA512
54d1aa2b08e6aed7cf0628021eb400ee92f332c27dcee983c390c1dc61a26b0e8103ea252150da995ea7c5388f540ec183773ad8a82e78427b0a08aa588cc99a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
89369f41d35782d400ab60c0162a0833

SHA1
2dac9f47dce10a8145689212163b05c4fa61bf9f

SHA256
cc576f92baa4b5aa7628a48162a00741d0e2f0e5dd1d86c1a67217391f3e6d46

SHA512
10818c67f91e405dcbc052f972a2de4caae7100500706cbdf13e774d5b3f492cae458de8985dc321b475421f307f2a65184665524941c43cfd1c7713f9f569dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7119879a5f39ab15afbc229a10b497c2

SHA1
e7f39dd9ef1c382a08a905a19650ea6cab3fdcd3

SHA256
99b5168f857ffe3aca3167598c4a409fa299d32db19ecbd782fd0c62eef08763

SHA512
e8dfc1ec31cdd4f2c90bdac4867ce68a21ccf7a849f24301165a8aa3c7b24f9e5e84a3a98e2e3d38991d8f14c4b8112486124d98e964c686fade92f66ec2cd9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e3888fe04181477af0fc0567a6e9b7c1

SHA1
9e5c9679e17be486008265333c35cb6a2a8deedd

SHA256
e2be25b5bd4dca1d41e6ca64cb83a8117958321089fa939adc04ecdfae9c231d

SHA512
b55fa2057eca4b150e427a663e972ecb50a1f4a87d61310282b0e6a71bf9f4240db820b2db2feb45c24aaaaf16593fffc018d9ad3b66fb17e50774c07895b048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37994209e12f47936c383993a6f69f59

SHA1
0b8c905777abd89ec1dc5e9713a4d15e1fc4bde2

SHA256
38e63ad059ea379f56d9bdc65c78f1bf1a60bdfe6c5f28f5fc82e54e6391539a

SHA512
ea17d664b8488c5e9a55851e7ee920a4fec32f82b5b2b8eb41fe7275300f139f3d021190d6c655e8c985924a48f2ab326a2a9930ad30fccd5a27c72a0bcc43f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
287913477333cd80dd69f04d1239e949

SHA1
25e1856aa0d819ac4329197e9412fc9b553a0c94

SHA256
5bf67ef3fdffbe7e1d489b3eba87c57e8dc99f0c17fc8df4f872fc77d6af933c

SHA512
51da7afc56b21fc91f12c05288e9337a66958f3e14766ee3aa63c745b4e0cbceb406e8cc1bf30af9262aeae1f5ee5d5093ff6522e0601f772a148509f0904eda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
52b1c9ff15d536fa51647d4e3ce6ab93

SHA1
351fb184a1bd3c2e242d63547870d7ef263b666e

SHA256
73e371815a240052214d61176dd2871bc539a050c57e42af4c55ad455e45fcbe

SHA512
fd99f94b690b1df5d78b01e6519425016a7cd2ad2dfd2d6c503b59bac43dcbd07790affbef6bc308ddb8096ede7d95a1a5c66cf69d34915dd732812792d2bd36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
009a6eaff5b86afbe4692bfc27e41433

SHA1
c05a991ea3e90b9f5a71733eec8875e04a152d11

SHA256
e0a0bd0ef346ab7f0404349bb72501d6d02e72879ea89cfd694310ddb177f338

SHA512
1e9f4de72a97eb5fd0d12e070c9b89467c0ed6524269e693497982196c9559734d4ca41f687d0dd4fd284babf2d179fe9ab3f446a6a2bffe97a4480c905bab0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0836f6c384d11513cb4f11ccb17e9675

SHA1
f257454f27fc4e5a65b5276cc53edc36734a8d13

SHA256
6efae31894a09c6ca924d90ff4d7ca34cbd923a417e81293b8911919b0eab257

SHA512
dade0d79667d589f3a7ba49a467d90f889330ea03b41872581d5edc76194eb6991593e1b720aa5594c44339316b49f80bf35abc2bee4f30fdb34e4923dbe0566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ca8561454391d5ed68f6686cecf63ca3

SHA1
8ad0e434ad09a43f0f11b7a623a18c0f591c3efb

SHA256
5c5c45cfabc8d06664b44abb593c3dbaca9f0ed382c02d4ab06d95802d88b5df

SHA512
87726068ac9d924118bf6524f2123ccbfbce31319551fe687c59ff0c61d18d3d8312cd8464b235b60d4392de669558bfd77ba6befc52ad836c3d1368b835a46a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d64e6d29080531bbfb093059e135b540

SHA1
e199c52e08d64184e7a99eb5a5da53132b384493

SHA256
ef43a6c72eb1783004eec5440316cacd9f0e5a8f2d4d5c1d38b69de838cf3a58

SHA512
69d481ed44e3ee45de6bf3fb5cc354fa349268642bb4d92d3f7f9d35d85c8d23795d3a5913d6d7a53993fd64abd2597b1cb3b3c2e6f6826b4bee1c62053920ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9cce2357898cb44940dbb707ff122595

SHA1
3746d8ef58f79785244227e7f04d8facb1896e13

SHA256
b122631e3c0b32dc640c97bbcbd1a3689d7d47264af34200ecff85242507a1a9

SHA512
aecaaf0d81df48917e172e46933474778eb8dfcc25ad9e7c6e7e59d088e409697c074f4d9f54f18518d73ac1810fd23d6ba986aef48d59fd2815b927697ec7bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
32568794d03dde588ccf0b4b5ea2c55f

SHA1
5bace8bc5f6a04408ea060c26cf8395298bf2efe

SHA256
504ee9be6a61b751d7d2666749166b273d664d55e8d36b829a7010b7e6586484

SHA512
cdac086e31128e153245acc1eb147f4005a30a1eb7a2fbab007414fb222471855b3efa00eacd71b4a7110a7851d1ffa00be5548bf6d5ddbf97fbdf202ecf7834

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
414b56d9725d164f471d88ba420a6ad0

SHA1
da19621063751f3af7bca93f589b81aa5b378c92

SHA256
30c1b887657c476b8f381770b0dcaa2610e33665b731fec53244484578c83d19

SHA512
32d7bbde84042a647fa18ba04d4ba8cd219937a6021ffca8a5264fbb1594e6965a81b7c66380a65be089a98e0b0f1183723a51276d12c3b32d28c45a291b04c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
126b255d28351c570833af5c45a7b68a

SHA1
ff46bcb6e562fb0dee4b6515516791af321072fb

SHA256
ef5e58850af4363a3d7957154143be20eb29e1b8a9c9146d2641948af6220649

SHA512
6befe53f02fe4e4b7dff1202236e2dd4332332395cb15148c76b4615b72a051e4021d3af24ef47ec4e1a8594cb62e1dc1f400f408c7d5952e157ae037b3ec13b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
c0b87c2f995b44fe485f6c4ca2843c3a

SHA1
6c24b4e265eccf8a579ccfa57a954bbeda339a89

SHA256
cdc333c46a83291bcfb48634dfcc11423a8e8f6da0d1c5962f39d24fb0207e13

SHA512
66499f3cddbc4ea0833b455861333c6a33b01c6656a453eddb5be32c17893d8ce2141998ec56238123aec7bcc913be5ad6e5dd8b6d396b422808836670c6ef2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
9cbfd70a6422a80e60e1478760331306

SHA1
24c5f6f27817093f281a91ed4327e1124c7456c0

SHA256
62b169b3777178757b01b548b6d64c446113b5052ecc7c31094fa8877451b46f

SHA512
15582cc291674ed90d648a6f6f4388529a903cf346a7a65e890a9dfe4ccc25900d0d91dffbd312f63e9043b0b24c36dd8016dd79d13d72ea68d39d66759f7d19

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\afa61b6e-5ceb-40a6-867d-a38d85f42446.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 430355.crdownload

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 585655.crdownload

Filesize
6.9MB

MD5
1c4187f0b612a9a473010dcc37c37a82

SHA1
34d46733452812d481adeedad5eaea2cf4342540

SHA256
c8d55b0f4f25caf135dabc7f21b9548263022107e9740dfe692b402469cd47bd

SHA512
075678e24a867d5630da324e934837d81a3fa1d848a15feeb2a7be268d38b81ca4210cd44a22e9869173edebecd1947968327ddce16a85b71c03e6307e365def

Download Submit
C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
99cf8053ed23c73d38f384f2326a59fd

SHA1
a4f1cc598ee228a232374f805ae8e8cbc35a49b8

SHA256
bad7df7d3a3d95ac8219adf2876f32703b7e0f04d4d1d84874217e1f25041153

SHA512
7cee9991233b8771004a3ef68a81274c386bdf91d351fac102ed60ceaf665b08c50bd27c17c0f64e8e75524973f5930d46107956740477eb887287c67eaa7d30

Download Submit
\??\pipe\crashpad_2488_ELENJYLNIKKGWQKJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2832-1777-0x0000000073C00000-0x0000000073E10000-memory.dmp

Filesize
2.1MB

Download
memory/2832-1764-0x0000000073C00000-0x0000000073E10000-memory.dmp

Filesize
2.1MB

Download
memory/2832-1653-0x0000000073C00000-0x0000000073E10000-memory.dmp

Filesize
2.1MB

Download
memory/2832-1445-0x0000000073C00000-0x0000000073E10000-memory.dmp

Filesize
2.1MB

Download
memory/2832-1489-0x0000000073C00000-0x0000000073E10000-memory.dmp

Filesize
2.1MB

Download
memory/2832-1444-0x0000000000CA0000-0x0000000000CD5000-memory.dmp

Filesize
212KB

Download