8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
1049s
max time network
1050s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-11-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

8^/10

defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 29 IoCs

pid	Process
992	Solara.exe
4432	RobloxPlayerInstaller.exe
540	MicrosoftEdgeWebview2Setup.exe
1596	MicrosoftEdgeUpdate.exe
828	MicrosoftEdgeUpdate.exe
3160	MicrosoftEdgeUpdate.exe
1964	MicrosoftEdgeUpdateComRegisterShell64.exe
4756	MicrosoftEdgeUpdateComRegisterShell64.exe
3364	MicrosoftEdgeUpdateComRegisterShell64.exe
576	MicrosoftEdgeUpdate.exe
1048	MicrosoftEdgeUpdate.exe
2784	MicrosoftEdgeUpdate.exe
3580	MicrosoftEdgeUpdate.exe
1292	MicrosoftEdge_X64_131.0.2903.70.exe
2740	setup.exe
4668	setup.exe
6016	MicrosoftEdgeUpdate.exe
6088	RobloxPlayerBeta.exe
3932	MicrosoftEdgeUpdate.exe
6044	MicrosoftEdgeUpdate.exe
5824	MicrosoftEdgeUpdateSetup_X86_1.3.195.39.exe
5540	MicrosoftEdgeUpdate.exe
5972	MicrosoftEdgeUpdate.exe
5160	MicrosoftEdgeUpdate.exe
896	MicrosoftEdgeUpdate.exe
532	MicrosoftEdgeUpdateComRegisterShell64.exe
6100	MicrosoftEdgeUpdateComRegisterShell64.exe
1048	MicrosoftEdgeUpdateComRegisterShell64.exe
3144	MicrosoftEdgeUpdate.exe

Loads dropped DLL 43 IoCs

pid	Process
3976	MsiExec.exe
3976	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
3976	MsiExec.exe
1596	MicrosoftEdgeUpdate.exe
828	MicrosoftEdgeUpdate.exe
3160	MicrosoftEdgeUpdate.exe
1964	MicrosoftEdgeUpdateComRegisterShell64.exe
3160	MicrosoftEdgeUpdate.exe
4756	MicrosoftEdgeUpdateComRegisterShell64.exe
3160	MicrosoftEdgeUpdate.exe
3364	MicrosoftEdgeUpdateComRegisterShell64.exe
3160	MicrosoftEdgeUpdate.exe
576	MicrosoftEdgeUpdate.exe
1048	MicrosoftEdgeUpdate.exe
2784	MicrosoftEdgeUpdate.exe
2784	MicrosoftEdgeUpdate.exe
1048	MicrosoftEdgeUpdate.exe
3580	MicrosoftEdgeUpdate.exe
6016	MicrosoftEdgeUpdate.exe
6088	RobloxPlayerBeta.exe
3932	MicrosoftEdgeUpdate.exe
6044	MicrosoftEdgeUpdate.exe
6044	MicrosoftEdgeUpdate.exe
3932	MicrosoftEdgeUpdate.exe
5540	MicrosoftEdgeUpdate.exe
5972	MicrosoftEdgeUpdate.exe
5160	MicrosoftEdgeUpdate.exe
896	MicrosoftEdgeUpdate.exe
532	MicrosoftEdgeUpdateComRegisterShell64.exe
896	MicrosoftEdgeUpdate.exe
6100	MicrosoftEdgeUpdateComRegisterShell64.exe
896	MicrosoftEdgeUpdate.exe
1048	MicrosoftEdgeUpdateComRegisterShell64.exe
896	MicrosoftEdgeUpdate.exe
3144	MicrosoftEdgeUpdate.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	4956	msiexec.exe
15	4956	msiexec.exe
16	4956	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	pastebin.com
34	pastebin.com

Checks system information in the registry 2 TTPs 18 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
6088	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe
6088	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\MaterialManager\List_LT.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\VoiceChat\MicLight\Connecting.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\avatar\compositing\CompositLeftArmBase.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\LayeredClothingEditor\AddMore_Big_50X50_Dark.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.70\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.70\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\PurchasePrompt\RightButton.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\are-we-there-yet\package.json	msiexec.exe
File created	C:\Program Files\nodejs\npx.cmd	msiexec.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\shaders\shaders_d3d10.pack	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.70\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU933E.tmp\msedgeupdateres_fil.dll	MicrosoftEdgeUpdateSetup_X86_1.3.195.39.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\configuring-npm\folders.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-expression-parse\scan.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\base-theme.js	msiexec.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\MaterialManager\Filter.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Emotes\Small\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Settings\Radial\Leave.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\VoiceChat\New\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\Controls\DesignSystem\ButtonStart.png	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.70\Locales\fa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.70\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man5\npm-global.5	msiexec.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\StudioSharedUI\close.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\LuaPackages\Packages\_Index\FoundationImages\FoundationImages\SpriteSheets\img_set_1x_5.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\api-ms-win-crt-environment-l1-1-0.dll	RobloxPlayerInstaller.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\css.js	msiexec.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\DeveloperFramework\button_arrow_right.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\PlayerList\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\ImageSet\AE\img_set_2x_3.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.70\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\Debugger\Step-In.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\UserInputPlaybackPlugin\TapCursor.png	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.70\Locales\ne.pak	setup.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\p-map\index.js	msiexec.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\AnimationEditor\image_keyframe_cubic_selected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-docs.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\query-selector-all.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\outside.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\Find-VisualStudio.cs	msiexec.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\MaterialManager\Grid_DT.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\particles\fire_sparks_main.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\StudioToolbox\AssetConfig\recent.png	RobloxPlayerInstaller.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\store.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\aproba\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npx.ps1	msiexec.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\AnimationEditor\img_key_indicator_border.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\GameSettings\copy.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\Settings\Players\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\VoiceChat\SpeakerNew\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU933E.tmp\msedgeupdateres_de.dll	MicrosoftEdgeUpdateSetup_X86_1.3.195.39.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\content\textures\ui\ButtonRight.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\ExtraContent\textures\ui\LuaApp\icons\ic-more-create.png	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.70\Trust Protection Lists\Mu\Cryptomining	setup.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\key.js	msiexec.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\Installer\MSI3F2F.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\Installer\MSI3C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\5438ab30-4644-46c4-ba64-e73ddfb8efe1.tmp	setup.exe
File opened for modification	C:\Windows\Installer\MSIFFBD.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\Installer\MSI1B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB6.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Installer\MSI3FCC.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4481.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17B0.tmp	msiexec.exe
File created	C:\Windows\Installer\e57faa0.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF399B0A27CE5C4812.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Windows\Installer\e57fa9c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI105B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF06B23C48A8FCC04D.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA2875F6996A51A2A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17EF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Installer\e57fa9c.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE500744F2B750158.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41A2.tmp	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdateSetup_X86_1.3.195.39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5540	MicrosoftEdgeUpdate.exe
3144	MicrosoftEdgeUpdate.exe
576	MicrosoftEdgeUpdate.exe
3580	MicrosoftEdgeUpdate.exe
6016	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3608	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133773605148501372"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{C7931E4D-82F7-486C-9FFB-E44AB90B021F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{C7931E4D-82F7-486C-9FFB-E44AB90B021F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine.dll"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.39\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42580F9E-2678-4BB9-A2BC-F22A1D432A1A}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42580F9E-2678-4BB9-A2BC-F22A1D432A1A}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{C7931E4D-82F7-486C-9FFB-E44AB90B021F}"	MicrosoftEdgeUpdateComRegisterShell64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2772	Bootstrapper.exe
2772	Bootstrapper.exe
5032	chrome.exe
5032	chrome.exe
4956	msiexec.exe
4956	msiexec.exe
992	Solara.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4168	chrome.exe
4432	RobloxPlayerInstaller.exe
4432	RobloxPlayerInstaller.exe
1596	MicrosoftEdgeUpdate.exe
1596	MicrosoftEdgeUpdate.exe
1596	MicrosoftEdgeUpdate.exe
1596	MicrosoftEdgeUpdate.exe
1596	MicrosoftEdgeUpdate.exe
1596	MicrosoftEdgeUpdate.exe
6088	RobloxPlayerBeta.exe
3932	MicrosoftEdgeUpdate.exe
3932	MicrosoftEdgeUpdate.exe
3932	MicrosoftEdgeUpdate.exe
3932	MicrosoftEdgeUpdate.exe
6044	MicrosoftEdgeUpdate.exe
6044	MicrosoftEdgeUpdate.exe
5972	MicrosoftEdgeUpdate.exe
5972	MicrosoftEdgeUpdate.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe
Token: SeUndockPrivilege	4844	WMIC.exe
Token: SeManageVolumePrivilege	4844	WMIC.exe
Token: 33	4844	WMIC.exe
Token: 34	4844	WMIC.exe
Token: 35	4844	WMIC.exe
Token: 36	4844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe
Token: SeUndockPrivilege	4844	WMIC.exe
Token: SeManageVolumePrivilege	4844	WMIC.exe
Token: 33	4844	WMIC.exe
Token: 34	4844	WMIC.exe
Token: 35	4844	WMIC.exe
Token: 36	4844	WMIC.exe
Token: SeDebugPrivilege	2772	Bootstrapper.exe
Token: SeShutdownPrivilege	4628	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4628	msiexec.exe
Token: SeSecurityPrivilege	4956	msiexec.exe
Token: SeCreateTokenPrivilege	4628	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4628	msiexec.exe
Token: SeLockMemoryPrivilege	4628	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4628	msiexec.exe
Token: SeMachineAccountPrivilege	4628	msiexec.exe
Token: SeTcbPrivilege	4628	msiexec.exe
Token: SeSecurityPrivilege	4628	msiexec.exe
Token: SeTakeOwnershipPrivilege	4628	msiexec.exe
Token: SeLoadDriverPrivilege	4628	msiexec.exe
Token: SeSystemProfilePrivilege	4628	msiexec.exe
Token: SeSystemtimePrivilege	4628	msiexec.exe
Token: SeProfSingleProcessPrivilege	4628	msiexec.exe
Token: SeIncBasePriorityPrivilege	4628	msiexec.exe
Token: SeCreatePagefilePrivilege	4628	msiexec.exe
Token: SeCreatePermanentPrivilege	4628	msiexec.exe
Token: SeBackupPrivilege	4628	msiexec.exe
Token: SeRestorePrivilege	4628	msiexec.exe
Token: SeShutdownPrivilege	4628	msiexec.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4048	MiniSearchHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
6088	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 1948	2772	Bootstrapper.exe	78
PID 2772 wrote to memory of 1948	2772	Bootstrapper.exe	78
PID 1948 wrote to memory of 3608	1948	cmd.exe	80
PID 1948 wrote to memory of 3608	1948	cmd.exe	80
PID 2772 wrote to memory of 3604	2772	Bootstrapper.exe	81
PID 2772 wrote to memory of 3604	2772	Bootstrapper.exe	81
PID 3604 wrote to memory of 4844	3604	cmd.exe	83
PID 3604 wrote to memory of 4844	3604	cmd.exe	83
PID 2772 wrote to memory of 4628	2772	Bootstrapper.exe	85
PID 2772 wrote to memory of 4628	2772	Bootstrapper.exe	85
PID 4956 wrote to memory of 3976	4956	msiexec.exe	89
PID 4956 wrote to memory of 3976	4956	msiexec.exe	89
PID 4956 wrote to memory of 3464	4956	msiexec.exe	90
PID 4956 wrote to memory of 3464	4956	msiexec.exe	90
PID 4956 wrote to memory of 3464	4956	msiexec.exe	90
PID 5032 wrote to memory of 3060	5032	chrome.exe	92
PID 5032 wrote to memory of 3060	5032	chrome.exe	92
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 2496	5032	chrome.exe	93
PID 5032 wrote to memory of 3656	5032	chrome.exe	94
PID 5032 wrote to memory of 3656	5032	chrome.exe	94
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95
PID 5032 wrote to memory of 1524	5032	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3608
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\ProgramData\Solara\Solara.exe
  "C:\ProgramData\Solara\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 5348AF4CB09FD73BB5BEB67D002496ED
  2⤵
  - Loads dropped DLL
  PID:3976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7750981CB0E3F18E03422808229E515D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3464
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B2B10F3D5BA27B738A1DB062C0A5E1C2 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:332
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7414cc40,0x7ffe7414cc4c,0x7ffe7414cc58
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1652 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4368,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4704
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff691d14698,0x7ff691d146a4,0x7ff691d146b0
    3⤵
    - Drops file in Windows directory
    PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3528,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3496,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4932,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4360 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3384,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5328,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5244,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5220,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5940,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5948,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6012,i,6810389420646933670,15455342881786165051,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- - C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
    MicrosoftEdgeWebview2Setup.exe /silent /install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:540
  - - C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1596
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1964
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4756
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3364
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0Q0NUE1OTctMjlDQi00Njk5LUFGNDAtQzZBQjY0NTc3ODIzfSIgdXNlcmlkPSJ7ODYwQjVDMjctQzFBRi00MDYzLUE4QzItMDQyQTdGNEVFRkI5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGRkY4QTQ0MS0xNEVCLTQ2QjUtODk2OC0xRjM1NTk5QkRGMDh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0My41NyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYzNjk3MDk5NjIiIGluc3RhbGxfdGltZV9tcz0iNjY3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:576
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{7D45A597-29CB-4699-AF40-C6AB64577823}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1048
- - C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 4432
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:6088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4788

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2784
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0Q0NUE1OTctMjlDQi00Njk5LUFGNDAtQzZBQjY0NTc3ODIzfSIgdXNlcmlkPSJ7ODYwQjVDMjctQzFBRi00MDYzLUE4QzItMDQyQTdGNEVFRkI5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswQkZENDA5My1GMTY2LTRCMTQtQURCQS02MDJBNTQ1NjY3MDR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYzNzQyNzk4NjUiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:3580
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6A1FCC42-6153-4BA2-ACB1-78BE523DE76E}\MicrosoftEdge_X64_131.0.2903.70.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6A1FCC42-6153-4BA2-ACB1-78BE523DE76E}\MicrosoftEdge_X64_131.0.2903.70.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:1292
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6A1FCC42-6153-4BA2-ACB1-78BE523DE76E}\EDGEMITMP_02084.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6A1FCC42-6153-4BA2-ACB1-78BE523DE76E}\EDGEMITMP_02084.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6A1FCC42-6153-4BA2-ACB1-78BE523DE76E}\MicrosoftEdge_X64_131.0.2903.70.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2740
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6A1FCC42-6153-4BA2-ACB1-78BE523DE76E}\EDGEMITMP_02084.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6A1FCC42-6153-4BA2-ACB1-78BE523DE76E}\EDGEMITMP_02084.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.86 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6A1FCC42-6153-4BA2-ACB1-78BE523DE76E}\EDGEMITMP_02084.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.70 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff77a072918,0x7ff77a072924,0x7ff77a072930
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4668
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0Q0NUE1OTctMjlDQi00Njk5LUFGNDAtQzZBQjY0NTc3ODIzfSIgdXNlcmlkPSJ7ODYwQjVDMjctQzFBRi00MDYzLUE4QzItMDQyQTdGNEVFRkI5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4MzVBNzM4My04QUYwLTRGRDMtOTEyNS1GQ0VFNTZDRTEyNUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzEuMC4yOTAzLjcwIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2Mzg4NDAwMTAxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjM4ODU1MDQ3NSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY3Nzk2Njk5MzciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2Y4MTM2OTAxLWM1ZjAtNDMyNi1iZjMzLTRkNzNiODdhMTk3OT9QMT0xNzMzNDkxODU4JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWZScmEwWEk3RXJjJTJmMmxIUXQlMmJhT2F1VFhOJTJmYjVaS3QlMmZqakVhcExDeWpFRlAybW1oaEJ2b1p2UUNSbnhrQ2VWTXhsa0U5VGRPbElFcmxSVDE4ZU1sV3clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzY2MjIxNjAiIHRvdGFsPSIxNzY2MjIxNjAiIGRvd25sb2FkX3RpbWVfbXM9IjMxOTM0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjc3OTg5MDI0MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY3OTQ3NTAyNzciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc0MTcwMDAxMjkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMDY0IiBkb3dubG9hZF90aW1lX21zPSIzOTEyNCIgZG93bmxvYWRlZD0iMTc2NjIyMTYwIiB0b3RhbD0iMTc2NjIyMTYwIiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI2MjIyMCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6016

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:5376

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3932

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6044
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{78D03663-16AB-4129-9651-E3477D7F7FB9}\MicrosoftEdgeUpdateSetup_X86_1.3.195.39.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{78D03663-16AB-4129-9651-E3477D7F7FB9}\MicrosoftEdgeUpdateSetup_X86_1.3.195.39.exe" /update /sessionid "{DFD4F622-9FE4-48A1-BFD5-E12732E8D2ED}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5824
- - C:\Program Files (x86)\Microsoft\Temp\EU933E.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU933E.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{DFD4F622-9FE4-48A1-BFD5-E12732E8D2ED}"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5972
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5160
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:896
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:532
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:6100
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1048
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REZENEY2MjItOUZFNC00OEExLUJGRDUtRTEyNzMyRThEMkVEfSIgdXNlcmlkPSJ7ODYwQjVDMjctQzFBRi00MDYzLUE4QzItMDQyQTdGNEVFRkI5fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7NTlEREY3QjAtNDg4RC00MzA0LUI0NzgtQjM1M0Q4QUYyRkQyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMzkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzI4ODcwNTUiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NDcxNDY4NDA4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3144
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REZENEY2MjItOUZFNC00OEExLUJGRDUtRTEyNzMyRThEMkVEfSIgdXNlcmlkPSJ7ODYwQjVDMjctQzFBRi00MDYzLUE4QzItMDQyQTdGNEVFRkI5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntGM0I2MDZDOS04RkQ3LTQ4MjEtODYwMi1GNEE2OThEODJBMTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTcxLjM5IiBuZXh0dmVyc2lvbj0iMS4zLjE5NS4zOSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk2Njk1OTMzNzMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTY2OTU5MzM3MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQ0NTQyODA3NDciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8xN2I3NTIyMy1hMzVlLTQ0NGEtODBkNC1iYjk4OWNjZjJmNzM_UDE9MTczMzQ5MjE4NiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1uaGhkVWFKNnhzVyUyYjNaQTVNMHBDMjFIYk1TTlZVTnh0MzFvVGY0SXpYTCUyYm40TnlFbFdyM0IxSCUyYk1XUFpPT0M4cUxtazdJd0J2ZUI0UUduJTJmaUY5UG1RJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjYzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NDU0NDM3MjIxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8xN2I3NTIyMy1hMzVlLTQ0NGEtODBkNC1iYjk4OWNjZjJmNzM_UDE9MTczMzQ5MjE4NiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1uaGhkVWFKNnhzVyUyYjNaQTVNMHBDMjFIYk1TTlZVTnh0MzFvVGY0SXpYTCUyYm40TnlFbFdyM0IxSCUyYk1XUFpPT0M4cUxtazdJd0J2ZUI0UUduJTJmaUY5UG1RJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTY1MzMyOCIgdG90YWw9IjE2NTMzMjgiIGRvd25sb2FkX3RpbWVfbXM9IjQ3NDE0MSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDQ1NDQzNzIyMSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDQ1OTc0OTUyNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxwaW5nIHI9Ii0xIiByZD0iLTEiLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTAuMC44MTguNjYiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNzI3NzgyNjI0OTY2MjAwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9Ii0xIiBhZD0iLTEiIHJkPSItMSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzEuMC4yOTAzLjcwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgdXBkYXRlX2NvdW50PSIxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7QjcwNjRFN0MtN0M4Qi00MUM5LTg5RUYtQzAxNkU5ODdEQUY0fSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57fa9f.rbs

Filesize
1.0MB

MD5
00d5a86af46c5fbc896f9e4e6c6c5ca3

SHA1
5c8baaf7c421178d3a03baa3690307d88085f28d

SHA256
f5ebf4ac9d6b1766933f84c576e99c56e18916556ac02470930e879d1f2b06ce

SHA512
cd4c345d3ec45d871b193a4eb649d24c6c7336c137d14e887052705c2258b6ce143e6426a8d29b5c31a3f364f36450c00205aba201e68fd673bb281bc6a71a6c

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.70\Installer\setup.exe

Filesize
6.6MB

MD5
8ae106f9f32723071b7d89c0dd260569

SHA1
c66b0f1b5f01b0a6a8eb0dc32842983f05c992c3

SHA256
c4b55f6e4150ef16f731a7b10012eecb83b5557ae45ac2b3d37b7865d69d1b26

SHA512
e96e3f14239b4fd1c2e6defa65e1eb9920efcf870ad98bee872b6248ab13032976d0340f99b490d6b7034f2ac099ff4d5e613d8f46a812483b1996569bc31dd1

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.195.39\MicrosoftEdgeUpdateSetup_X86_1.3.195.39.exe

Filesize
1.6MB

MD5
2516fc0d4a197f047e76f210da921f98

SHA1
2a929920af93024e8541e9f345d623373618b249

SHA256
fd424062ff3983d0edd6c47ab87343a15e52902533e3d5f33f1b0222f940721c

SHA512
1606c82f41ca6cbb58e522e03a917ff252715c3c370756977a9abd713aa12e37167a30f6f5de252d431af7e4809ae1e1850c0f33d4e8fc11bab42b224598edc8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
7a160c6016922713345454265807f08d

SHA1
e36ee184edd449252eb2dfd3016d5b0d2edad3c6

SHA256
35a14bd84e74dd6d8e2683470243fb1bb9071178d9283b12ebbfb405c8cd4aa9

SHA512
c0f1d5c8455cf14f2088ede062967d6dfa7c39ca2ac9636b10ed46dfbea143f64106a4f03c285e89dd8cf4405612f1eef25a8ec4f15294ca3350053891fc3d7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
60dba9b06b56e58f5aea1a4149c743d2

SHA1
a7e456acf64dd99ca30259cf45b88cf2515a69b3

SHA256
4d01f5531f93ab2af9e92c4f998a145c94f36688c3793845d528c8675697e112

SHA512
e98088a368d4c4468e325a1d62bee49661f597e5c1cd1fe2dabad3911b8ac07e1cc4909e7324cb4ab39f30fa32a34807685fcfba767f88884ef84ca69a0049e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
c044dcfa4d518df8fc9d4a161d49cece

SHA1
91bd4e933b22c010454fd6d3e3b042ab6e8b2149

SHA256
9f79fe09f57002ca07ae0b2a196e8cc002d2be6d5540ee857217e99b33fa4bb2

SHA512
f26b89085aa22ac62a28610689e81b4dfe3c38a9015ec56dfeaff02fdb6fa64e784b86a961509b52ad968400faa1ef0487f29f07a41e37239fe4c3262a11ac2c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\msedgeupdate.dll

Filesize
2.0MB

MD5
965b3af7886e7bf6584488658c050ca2

SHA1
72daabdde7cd500c483d0eeecb1bd19708f8e4a5

SHA256
d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19

SHA512
1c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU35E6.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
4a1e3cf488e998ef4d22ac25ccc520a5

SHA1
dc568a6e3c9465474ef0d761581c733b3371b1cd

SHA256
9afbbe2a591250b80499f0bf02715f02dbcd5a80088e129b1f670f1a3167a011

SHA512
ce3bffb6568ff2ef83ef7c89fd668f6b5972f1484ce3fbd5597dcac0eaec851d5705ed17a5280dd08cd9812d6faec58a5561217b897c9209566545db2f3e1245

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
6.8MB

MD5
ee40308e2ffbc9001db2324ff6420492

SHA1
47cabfe872311f65534cbd4b87d707ccdef559d1

SHA256
38cd32dedb5c8c2af8ecd56827af5b4477a4b9ca3e518199d389a261baa999a5

SHA512
5f5fd0db005d49d63eaa81b288d2d6d40ce9c84cafd1c75d33723e47f23341d5ff254c2ed6274790242ad53f5360467d121cf1196ec7a073d4506166248041c3

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-8aa36bbf0eb1494a\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
610b1b60dc8729bad759c92f82ee2804

SHA1
9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

SHA256
921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

SHA512
0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
c2b6ba7a612d9afcfc4d3a0b419a337a

SHA1
9a81f2a1d7fd9066686e2ad831448e24435b0a25

SHA256
6d82371106fa2f3e529c19ca80c9099c57b0dcd1f9adcf7d8d47329b5607c174

SHA512
c35b36101ea8f3943f0cda391a90a4378e47ad097585f452b1e0f97b106b4b97c9be7fbdcf18288a9bfb5c76fad2f8d445fef219caba96a8071499a5006c3ee9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
133KB

MD5
c6f770cbb24248537558c1f06f7ff855

SHA1
fdc2aaae292c32a58ea4d9974a31ece26628fdd7

SHA256
d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

SHA512
cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5754f516-f985-4580-bae1-0fed6c92a008.tmp

Filesize
11KB

MD5
b459cefd68567a670f92b8621ee5b238

SHA1
c1f56dfcee2bbfff3abe7822b13978dd84b6ef91

SHA256
78f8880dd76074b5176e6075a0739ae6ca9e48e389c31401df043bb224474ec5

SHA512
8cb0bce0a7b53c5c6ef4eee569b0503baebe7ea9f3dc60017fc5316ac6070fcbd60b8af143c6d386c062fc62c99065506c225ffdc45400eebf4f217054ce024d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3578c8f2d78e92e33a3a31d96a0f3730

SHA1
132aac06dfa9beecf039d986447a7f318ef79813

SHA256
a8ec948ba988c874eea46731be1c7930a4f9f32943785487c081f2ef078983fb

SHA512
2eb137a47dc3a4f6b235125cfd57ae34d5371ee36e2b70cb36ef74eebdd55fd38392b783ae029a60f21aa4a401291bce12d0c89e341e781ae2152dfe40a9e494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000042

Filesize
208KB

MD5
f8382a2b0826d19b2a58ee70c74d8280

SHA1
600274430845aeb8aa7807e95bf6e902e5f67afe

SHA256
24f5a5624aa0b93a0fc9171ddabde3b91716f05fd28e7ad1131f2bb795dcc99b

SHA512
c3301dae1c115b203d662b4ddc62ea7a7f5f490facacecfbfee2da73cd439fb8d65e469ae546b10e8ef0c98fb0dd26d97a20c9a17db554e10fc6c083776c0c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
5e450d64ff2967071bb6b6f26c4c6358

SHA1
522326bf3b3d44ddaa51ced33dad0b2c8655829d

SHA256
08c7ed9c5aca232410160313f1a391190c12fa91ad30c24f487b6bbe7a9b2447

SHA512
001a459db9b5ba4a59e2d99b36ce4185351a642a4c45253126848b361635f6ca01d46916c03ed7e1a78a9805680a417ffa74a987187ed27f0db536514401b2ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e56bd9d2b41c391fdecaf3bbfd9fe950

SHA1
d29208c5e4d131dd3e234129fb08816c6c821d9f

SHA256
82a6a45753cd609c7f02dae1124c67a980d10c1860a5b60efa2b536cd46434a3

SHA512
00bf416c8033c63024220e73466bed438c019b911ee49870f3d36ec80ddb45de759a04bea439f36a46a24b2d3453506c239a9f7ff8504f8dfd44a12c311f1a40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3db7ca1c380553a4ec20548767d35abb

SHA1
4f95039134f9508a8169718e8ba71ef79968ff5a

SHA256
5091fc0446814d61999b796d441a6591309c0ca9810677424f908a95b567c27f

SHA512
9c35d60a5f467216a06cf0a79c3400f918cecac6119052e29e7d8d2fa75c71d556b60bf630b656bec47918d322ceb246b3eb6db46b23ea7a577cd2eb6e98b340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
5e920b877f23c8792971e352cbc9122f

SHA1
3fe0db6063998154a78773df8f2890e1c777114e

SHA256
0d435380295f41986f3f6f59ec79f1e0a197f149874dcfdbc2b4d5d1873729f7

SHA512
9c7808f360f4d27f7e288d425d50153678067a8d87234710e9507f638604f91c0549c3eb0bab2147ccb3f260c5232b28cd6c5abdf674e589172ed65fe8a3421e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
a27befa28f3bbbf50b561e8728cb5941

SHA1
3506acf430e16ab8838d1f731ab5e22a0fcc43e5

SHA256
8d917b607b447a35f615bc4622bb5715d527e1dc9afc506fdb7983bcc455e0ca

SHA512
65df73dc78dbe230089f4524b679a072cc2134369b77f693d5524474cd8eeba898e6cad9ccdf630822d4f7fdf4f506a151fee7bea785ef84afdf519397a37d22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
408dec0a48801ff02e87514d58f66c4b

SHA1
188850b601c00826e4c216d16d958b5cc0064489

SHA256
5a81b7386d33024864bc61bae57c870e5dbc29e3df78291e486a06fd0102b8d4

SHA512
6e6416c82f35f1864a67837df9c86b973285ffdf27250fec5a5907c6b6f08d935a20388321b6b0fc8170989a61af7a0dee00077526999e2eea387134dfe6102d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e8020529c9d68412e514489b501e0e45

SHA1
2c8b703a61020b64a9973d4ae1cefa2597b51257

SHA256
8cffc07ba36d377cd02491d412e4083e800182e53d3d36fdee66381838276734

SHA512
76282e10f3a1e1404ef25102e9de7d96d09f011f9586577ae70b72eca597478c7b82d8904f9ea054211890b12b4922881ffb97133ae6f79e92fcda4024989c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
09f9db27ccc4ab9941168588475edaf1

SHA1
92c59a66444331c795c3a2ec3ce78bd9624a5de5

SHA256
1b1772950918e700c2e010421b3a49c475fcb8eb3434e9b673565681b6ddefca

SHA512
902d3774be2414f2b31d73d6039e49ba9adaa83cbd82655c715627985b044f365323c56cdf2c4355675b2e38ed80840708c667d5f7c2be469535b91fd4fe45c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
4727c4a59dbe09c0aabbfc4c6e66af5f

SHA1
a495253a2c765664e6fed645016a82a36d2dfd90

SHA256
5a736655e6a4e209d92db95df9fd45a16d595a58efe8097b818d6d92ee466ef2

SHA512
e6ff9eae0fd1799681adfbd638a0917c872717a585c4dbef854ae9591aee75c1a265d1e16b86684eb717f2ee693c90128e30d65eaa61faac72f09608e3905bc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
31179567712e741394ac7c305c1d0674

SHA1
2c4610483a8bbd5c021ea75c50fb0d42c5b2cafa

SHA256
7d411e2e1a4530fe9287812b974a817b3478b94a438e8130ccb66ec4eb145c23

SHA512
75a50ebda9af9153167fd29722837411d1a40bb1194e55a0e68361eaa0a9ce936cc3b47159d3adb5fcfbcc3fac9fd0e0a3397eb71960729130eaca7d90702a1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
32d56e539cb79d88098eca549ccace69

SHA1
a017732d4322bcad849906e266e2640a38f96faa

SHA256
004dd8e98f7e9ddf379812268fefe782aae76cb741da2c968cefbe032f813229

SHA512
fbe48a52e014f06787f289bde7a1ae37bb320c7737d973771ffe8a379de13b72492d563c545b03482224a2f39e60dece2e936a99a88e0c29a22ab597626e5c1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
315079082c225fc11d9fdeeac68c310f

SHA1
afcaee57bec2ad39fa59adb5bfb60650cceb18fb

SHA256
0a6a028258fd7d415b9f5ac21efd7ec08e2c639b263bd0cae797fb26d6fb9f20

SHA512
04c93f905fd5e396bad597c9153a1e4f44e88dd0422b5f55735b80d0d1553239dd881bbc56343ca9ab79197631d7dad50250e22edaf212484f4b50ffd4576cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
c98cf46393abf46d79f9e6a76c62527d

SHA1
5d34ef69728a6db75ad0b8851663ce1059fc65e2

SHA256
62088465d3732eb73442c789fd754f0b065f2971cf30240ffd32f18ca5b8de11

SHA512
dd871bc1c7a431428334b6461df70d111d24242ae5fa96f8464f25c83924e6f30495697a5e17aaabf4f1428a37f2b05a9a709a39c4ddc6d74605ea8d843a8873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
9cf720e293017bff45be91a1f9512f2d

SHA1
64889c4c3bbbf5825467e8539f1dd193266ed73f

SHA256
fdf66a91df6457a4d3e3538f0db3089eef3d9924e390fab8fd6bd8ce53c2d878

SHA512
1473e8ec5dfdfa0efdc1632e775e9ef453a0f93ec534a16632f170699b865c8a495e40caf88a6f58dce1a5ce8434efb989299e18c3a97f5bfc66c776cd597281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
da4b67fc6a2ed2df6112f3b2b0961f08

SHA1
a81f9debc4b065325f5d34b86044769e2c106262

SHA256
97b737e85bbd60c801f64b611a3a71a5f875e9522adaaa8daf97e90412e4af1b

SHA512
0ab761fc27387dd88aa879209f4d1e091e7711062218c2590e20b02653250a658f11c2af1198dbe94e47ed6833dae22d1fe9fb8728aede810274cb3005da88cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4895456d77a961e07fa64eb69a895cb0

SHA1
8a7589708df056a004837cc2a236cb87e9fe2559

SHA256
668a64636d64a0cb7f3ea374c3a7db3aa529d3dc34cbb04f19f7bf2fc96d356a

SHA512
3470f553f440f42bde1bf8e4605a86148da856c3cef8295deeab16f5684285ceda6e9ad76cd861d2105c201b6902df7842b805534728b618ba7945332b5474e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0b364439073f64edc880fee46a01fa75

SHA1
fb3ba16040fb699c0573dbd3069d8ac3e84b081c

SHA256
da564cc9f76d44b31681f52c3b8d003dd5b453bfdc4901016c33daf17838a980

SHA512
a92f1d74771db5792f0b6fad282b19f450bb8e0f810d1527ac092c093eb5b553ad8ae2053e26500472ffb429c31b22a6c6622081ac29cf2cdcbe2e84e6bcbe1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e2533c6317737f7d1f117e01fd15c621

SHA1
399ddf863f059c4e13c17104487940addb739da7

SHA256
80639a8f40358428bfc7e1578507d40c5076bd98638331d394c9994e7f78c45f

SHA512
e38ae1f3ff7037502130b1ef3e3b686e6872f3e16dd3ea9af84e96b4a0171394b1d8f4aa13270744155752d28808912bcba1835eb0140570b58ac4be3aa56aa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2df4ef7969747b4a735de142335a331c

SHA1
850ed3137dd07f1fab698a9cf680c97495779b41

SHA256
a93609b843b4b4dbc68db16d6ea6ad1b2582bc365801203a3749ce53a2bfba08

SHA512
95a8a2da46cf40549aa5fd1a4fd555436bd8f501f5671b02cd948070b2e3c4341e33aa7a24cee75914769241ada582c707356304db8f500d05c4bbb3bb70d5f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
73c77a2b208012f95ccdaf6a29c09ee3

SHA1
e697c5270b5bfb4d1b9ac4bd6ea93feb6f4b1f9e

SHA256
3ec252b72d1131ff4e1761d05a94993e0b0d5930d99dfbb841740c9ca26cf9b9

SHA512
385f3251acf69ccdb37c14209b81eaf0694accede3ce0e6dfd95593da7095679bbfe0413fbef1325dc8dd7815fc2d8f447bed4683de077ac455d975e18583d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e333eb5d33c0aacb02f42d0093548a48

SHA1
a39a4521d612d476ec951ea4d2130ea6a6493545

SHA256
ffe81d6f50481ac6a573c4ba078d1c54ca87b4b6c064e9183fee748de1e7dcea

SHA512
56ea2c529d5f574a3d6b9a7a7ffb9bd11daa3921b0997599fb103ace6136d93c0081185e27bfcb254823427ca4a0b01c10525675ff5d1ea1c4993843d40c5a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e7d8f99b6353169794a8457d9ff9e12b

SHA1
a038dad4539bf482edfe16f38cc3369e2c0121c0

SHA256
9d84dd3935bbc7bf835a3a1e129242114fc1a13a13ee126fd91d3d42054aa256

SHA512
61d00240c1f0eb4997da8b99d369e0714798d25628c5be25a1890ec5e0d36bc389ef48d9701702224b69859f9f59599559bc0f66c794aff258e2fcc0401b0ad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ec67fc199dbf1c9eb765d11b22b488d7

SHA1
c2b08ff009452d6a5a3c56315d566887462a0cd9

SHA256
adeaf66a9fa481985983fc5bea331edcda7927e366e455d8cb015ac3d09e5725

SHA512
aa61230a4ab89e5ab0f9139d05604e554014eef0689080cf2c2714cb0fda0f22cf3825404cf601f7ce211f84eee98deff129456dff347cdbc3593d303b63a6a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
310914e15de493ccce90c3c32c920ac6

SHA1
f1808561f4f2d0c3270e096d96cebede2f00b921

SHA256
3b99efb853c35c84599def36a9726bddb05f8d11aa98b837c418af466dbf09c1

SHA512
c7be480d20f3e59e5b70c431d8d1aa5f6fc6fe226c2f04dc8084eff7167276c5bf228e9e26c83e64a2d19356585e2cfc967da28b31ab6424f6ce9a543eac4a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a39d07c91e4457a32ec50e5d658cf075

SHA1
f83a0a4d870bad79168f01dee6958663ad34a12c

SHA256
9aca3d6f86fbfe4131f6401ae7013d7335e59d9bdb8eab3d5182778ef69c0019

SHA512
f98aec687285a0ca8266217f56479240bac3e1ee76acb74f1fb194e35c5f89570db7067fc0d8cdb3f9f1e282dc600e498392827a07e3b40fe97753a5ff23dc10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b0b9cef838d8fa748cd869ec95b3f283

SHA1
4c57c571b6957e52c006b6f43b18a5d7de34df0f

SHA256
cabc25a3a0750ea787d357476a1bd274ee724155778b99806e649f2b2eede502

SHA512
198c9411c9f9ac62f345fafc970ee7dbc10074ba896b7fbc924716d87b4cdd5ee58d2a68453a9c56e9838c61dd145be1213fe4cece933bdbf349e80a3bd82f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f1b8e7d9b6916a5d2f52d6c148379221

SHA1
af4a35a029e38bfc3089070357482b724f0b07a3

SHA256
89e40d3464d380836d8f96fc0a60bb35b78573d60e4d352a30f2ba79de4213bd

SHA512
d856d4c3569011d1f910f614429719deff06e4d9dc559137710ac8d8c37dcd3f998646fafb524c4afc652bd49ca424a438a24872f4c5842bd522aa91d3f494cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f019a492e301121c54be6917d2239a17

SHA1
4512db6856b541f3dff205a005110475a5cd3f06

SHA256
1d5413fb0ae504a543af7a7d8a782b2df3c20d8c9aec5e17ccba0b0df9a7c00b

SHA512
681541e45d9d568baa17c4322bbd8694e708546dc9ac6dc8df8a7d07661f15ea985bc85118cfd59d2f4042e781de5085cc6622bb35a4fe4064e7e0447e413d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
44dc0aaa8e68cd0c1833f3f22d47798f

SHA1
bd92b4be7ce63fab0310e2ca4db7a0f2cdb6cf8e

SHA256
0e6a9b62714482b26ef2aacae6c74ac1f6e20f189de18afa877f1dba7e2905d0

SHA512
61de7b6e4b1606f9b2de86751df0581c71e49c1dc1a554b9c38ea7c6ddee584e1da4dfa1af82219cda65b4e6a73ee2593c3e84f01bfa33271129a13a5c407879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
62d559494b17da9e5fab1b16f2794447

SHA1
c0099b99bebe34d7c6252d47ef479a774a08b722

SHA256
abd44cc7bb9d9997303cc5cb1d71860a5bf59b53148819541d9e93f4c910b0dc

SHA512
19864e6c7be53c6697deb113dd356dcc0f6b6462a9997490c3dfa67af9bc4f46702663a0b85ec03868d2dd736833340b3bee6a2b9a19ae77471742a84b21b585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c371916b7cbf53b0a44c917cd0556c33

SHA1
fda68262336bf6b6e221b7bc2cfe690e2bd5740a

SHA256
a6cc2aad35db43ed6ed511578bc6549339db45d6a7a9a92153cee061a88aa535

SHA512
904313a30cbbc9755b5a47d49402c77358a6a18a957150e5de9d46a2f2bd81f4353f6b041033f3d73b07c14b6630c6f6dff3a926aa1cab18d2f07543319f2030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fe927fef2062fc62742e0a2f8fb207a6

SHA1
41fddb5c3bc0d45bb7f0b61dbdbe90d502c041cc

SHA256
1be392b03b959c2f5384b3cc4f1fb9c5208df1b83e0fc2477a3788855bc3f5f9

SHA512
f80445018dd8729ea37d570aaf3bfbf1ed4b0c9ff0f92631714e9752b356c947c51a9373ad01e687b0197cedb306f8f11f5f68e9ffbc335ab4363a804a02a5f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d05934942c34f8eafa80fecec7f58770

SHA1
de2bfbd97bc59574a1fa5437bba26a4df6500ac4

SHA256
e818f417102733acfac3ead0ea6716d0f81ceb66b2589c8443fd607502bff85a

SHA512
16d5659b2bf8b65caef9c27342256af9d986465f9442f78caec27192c30fc183bd72fd1c20d79f70e452c02210ae65a7f4192ab753dec12a52d591a98e0cd4fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b03060fe4b2eaf1b4ddf7401e10c0aab

SHA1
3e9c7b5a987e15ab29ee50148ba769c0daa77be3

SHA256
0ebc4f11892da8439f6913f70ce14abd8d7a149f29cbd06ee776163348dc9571

SHA512
3444f4858a2c36cfdff18ea0b553231fe3addc2d9816c77009641f53c700323c98f46b7737b5bff43dc0be9ca7b52ed6f2d7bb7c4a586024b45a41575730150e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
545618e82f65bdee24368318ec853226

SHA1
6486b0286470419c77c9b60f29db572522706e14

SHA256
a14a4fb1eaf849757a84efdbfa416f1b7db94708ee4ef0f33c3e7bfff76a60e5

SHA512
69c6c805ef507d0ff2610df75787ee7e22e474d3aeb3a1fa813e2b2bc264262b0d6fd35257c56d532df33f7de1a763d6cb704c79089cf12bcc33a21da5128359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9c4452275ee6646b3ff626993f12c659

SHA1
7232303cae08c37eb50efee0d4a54d28550cb906

SHA256
97899514702015408139db782e9615603e2ac9c77ef1ae13867ca616093fdaf4

SHA512
385353e142118ca5dd70a3faa9c595b54e1eafc592d8c2d51b5fd6f3c3b54281b7d4f9e65e8b1d832b0c6f8d6435d5f51d1f5307a79a7ecf983c5004e08659cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9a6e2bbd6f4e79eb6095e379e565650c

SHA1
567e97605a904ad495f7be1ea56ba0d895bd89b4

SHA256
ec98bf8001cfdd07e71959428d64177e20304b4b74e1f791a46649e89cec3338

SHA512
9f407f743b73303330940f576f8e3bd9d75b52b23bfb936342e8be44320ba6e8b4eb322567791457afa9ff3a8de5e86527b508be2be84abe709ae990c1aa3b31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
69c0bfd8f3359eef38228698923c7fbe

SHA1
33682214d91ae00f5e35f40d155fd37071612bd6

SHA256
fae3cb5c46e3f6532d1814723b279962e123c619644722dc1debfe134098dcbc

SHA512
d4e5120bdb2454195fb1a2b7fa79bfecb38c8a4c1f62349bf876cc6ccd0452e23d87ee3d7fe20fb17af10b54678fa56eabea38b5ffe6c9405157c78713472dd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9983da590ae1f3d3efa5cdd2585e8d86

SHA1
b5169fc3f5656e0a707b9d52f73d396a8bcddbb0

SHA256
615445369cfdc0765e229d9dd89deaf6797086be11dfdd6d5b22714a8561a2f5

SHA512
6036b569401b665a72136fb7f1393ce41c50270620900085739372eb8c86a5eacbe0c8d991b3679c45002d5603ff19fcec4b5999be67fbdeac0d6adfbf180304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
67746b23adfc9f245753b9e53312ada4

SHA1
53c08ca19eb343508d490fa0dae6ad0c05ccbbe5

SHA256
655e59ee8b05b259b76116c554fd753e01066aca3c90d5a03ab0b413316fedef

SHA512
ce1b49057d9ba33477d23b4c571370c79c6035a16db795c4a34f3e465e29ec7df864c221337d95769f6389ba0ee2330f3aa6bef27048a619dfc73f3b41571086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
134bfb3feaa1daf10225118e8d5c97e3

SHA1
b43469020c356ac3c520a02a98f46b4acf486201

SHA256
ab3371bf98d41e9e5bb666c6cdd91139acdb65ef05226bb94f67a7d20c8b06e8

SHA512
59e637e55ef4abd6037b89c7ad6d1b2f4f7055a4e76c36754ee9615d8058070ca8dc73b217692292eaae0a064b91ea1cf6177a0ef35c7bf855e518b3836916e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9ffaccc2f072d6ac9b0c4645772210ed

SHA1
3607b4ea782592aef6af72b6e5e72b9c890f85b3

SHA256
dd286e4d30c2f1e49cb2f4368ecc9f39ca755a0b8e8e3822778bf1521274c387

SHA512
112986b75821c91402b3a9e9c64e8d66bb783516aee95842c1d08a4968dc7eb801d8806face54b72c31f7dd4e12e47e35c355370a64cccc831a4e7030e159818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c05fa6033484f3e64f6fd7c4382cb773

SHA1
3a6bb08ff63951a6073c83ced734190ca9ead3ed

SHA256
1c80e02dd207eee4997a1e7aadb5885cbf0edf929c9e657da246cbb275d6225c

SHA512
ae16c8b1c1d0f2bd8017bcfdd3613f74147a5c3069d5deebcb94762be52725368d0724abb2bc8dd65d1cabf978fe10b2db6308dfc125518ab9f5de3ef9f5205a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1dd3ba48c232302bc1ce70693dd76f19

SHA1
e458521f16580e9d9e0a471231cae873b0cb807c

SHA256
6c3f5e625e07e3cecaf47675ce63c3fe3f23bc3887e5d685906ee06b7503cbf0

SHA512
39a72c78cca7f41dfeec4f19aa506450815e31f6184d331d5706a6c204ce547c1e86b624d62afb489c30e3a37d879d30a8732f8dc4950a20325a5e340be63f7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
334270f4010fa9c994f9859397186538

SHA1
e4fbe851183141e3fac85fca5cc675470b57efe4

SHA256
6ca69e7ac405bb04d16ed25c93916df5108af4f4939cfdcc8249d2f4df517e24

SHA512
41ad611d89254474fadf36899d2d16181b72da6878449b0c2d313522a23dd558f335d21cf76cc7344496e5e091cfb71dc4bfe2661dcfde45537b3c2da3326a0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
18f9b57cee1b52b3275e3ccd2f32e7ab

SHA1
849d78a5c99dbee34d843cdff6e6acb521aa873a

SHA256
8748c58a9f2eb6c2c9001d0bacefc4090525552d62ecb06847565916de24739d

SHA512
7f3100be00941612d0e6cad91149f8eb2fc3e53a66a73296027a6a2092af3f3a7aa95c57a27411ac0f439ed6e12fc8d7b44f6368dd017e4b4b1c01adb8056fc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3a3bbf8f4dfd204674a13396972af3ba

SHA1
945e0d16277a41a668927a216c301d11a681548e

SHA256
4d02d359a9cd55a468afffeb5e59113d187278228ced25134018447d7e481887

SHA512
7c6173618984f3aee6c8ad4c65e545c5dda1eaef01ed31d6aaf7371a74df68bb9d5f10ef317a704ac2f09a08210965cfd46426cbb0e28f228774bfd071e67c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a79f5597b2b8ae585482ecf80cd572fb

SHA1
92d036c042ff34c57625370ba3c99b8f00934d99

SHA256
b194cd8dda9b3b02426a5daf8e8e4fc6ac9e1027d1790f9176a5fd251bc8555f

SHA512
db93c119785baf1a03404cdc68dcf45b08747322fe7c21be903e22de48184e0ee12ac6604aa83d84aac82e68f8e6d23548c7ba1fda2d829c687e19e0f557bc2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fdb33e7c84c863a50582a8f75376cfda

SHA1
833edf3ea36de2c40ed47f7c8f16a9931310ea00

SHA256
cda8127dda92a93b33b8d34dc20e719edd4774a0dd6308990bcb507290fc0e5c

SHA512
30f95969208daf19415694640a6ac2403a0b5b95ff80681310448afc7b76cb38f804db26d5b06e965b01ff8456453b79511d18b323d4c96e6b9494fd047ce08b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
04474e1b3c9bd94d231a4094a28f7cf4

SHA1
e0f178acc7f0464cfbedef9f2e773bb91a75356b

SHA256
2cda1a6cc361b7dfcaab1c55c7043db0613be4cfa2417f39f47242c1deb721df

SHA512
c53b375113f592f3f6460e8dc9707cf73e410537d31b1738b521651d0396c73ab437c019dbf1b0f08fb8d128145305acc42b8afdf442db70410728d9a89d24c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25f417e89c1dcd38f692acfe06a448ed

SHA1
769b93595c502fa30cc4e8a46b9b9e5aeb9aef70

SHA256
6bd67dcec207437dbd1e836163a7c2d4244ef2fbba1015db79e7d6465571e948

SHA512
b66948cacfc10ec6481ffef92558283953e5fd1b8feea58a9efdd0de4dfc8a32c6c6840e16a66d0ae467207e6af1344ba7abe452a5744664f534535f5c5d7502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
49802aede956bcc6af07a3b02a77fb3e

SHA1
44ee6865345b2e9cce44b5894f6c3dbef7ded343

SHA256
1a0187ba753705a2d421722af0a24486ce148e5fb6e4e832033160ba90b5e338

SHA512
ce99380f7774d340225307b72338a76327d9082bf14d73e42666116f1921dc170e1f12302eef65311d881ef434e756a9bd579ac0133e976ddee66aeff65e116d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
df09b2efe624705fceb236da5ccb8a4b

SHA1
27f2e2235fcd0c7a2a78dab757dcf0f35ed58378

SHA256
37eb4d305b7a3711c4937a2f549f056f2d613278ab601275ffb4bcba0bb0f5ac

SHA512
8636a0d7d1b35d5e68f6793a2b80cc4fab208d7ba2ebba63563de430d254463a05cef138f11c038360beb7cfa7e375de77771844eecae9bf01ca4566aacaf82b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e6c3c2388b7803c436b5d607ca5e68a6

SHA1
d8c174fd7cf3ded548d5b9bda026d157577de71e

SHA256
bfcad461d005d97862c2b74ca75745e6ed766002d42878ff6b86fa64273a51bb

SHA512
5324f8174d10207f4e6c788918b0031da72992936510b1588fb35a3007773ebbf6e5f1fc4b2a5872782eee224910f3a84920be0ff2c24da4e3a7010c3be70ec5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8fd516f5c39c1d4d43017ac7bb152164

SHA1
b6c24a6ec7e8a282d37d1b98e1301adc5ba881b7

SHA256
8e419e3f010450659ff9d0062f429c3e8869ec3b8ebff38f9feed9289cb66e20

SHA512
d551b1b633e7db12b07e4e6befb1a24ee33f8ec4a555e239d4e7dbfa9dc52e4d499840f229c39f61c0ee2263f275258a669a2c1ce84de1a6e547027a810d8713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
437c294538eb7e9a466c4deabd365865

SHA1
9b557a0b13dc472c9d4e9d6edcefa04ef6e9cb50

SHA256
bc24594199470ba6b9b9f0754e9559a2a9d32e8c1dd80b5002f8e801f260ba30

SHA512
197ac521547481b08293d06bb10df8714e7d9798351aca39bae78ee20ad5c0bbd674a13ba39f9da1b3ca9f5b167ea14ce299d30f05a8debb9408fee80aef28be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f9e4e74597cf0e634ad6b2315d0a7fe4

SHA1
06049bdfa372206a4d50e4b3b4de6ca3043ac193

SHA256
e2ff1f82bb90d3df3c660acfcfdce169e2064c95e49b6855cff683c8be1cd54b

SHA512
68eef49fb222e756880398ec60da418e14d621003836439c99ac643a265aa2ae6e53fb7ced4a576a632cb7d731e9f2c511e737189ec25d30f44900349abe071a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e6901a78d6db2fba97cb47808b6ea329

SHA1
47c1d64e69981b2c5669c1de6a1216f74139956b

SHA256
e33bd9ad78dd174751369ae7df266518e987071d86a54cb9f8d5892ccd31e6e8

SHA512
4acfe9999d9127d9fd234b4595557d49eb330146138e874446524ca47aba082b5d18e7db7b3138c578f0470ee23fff6a6d459ad7242760670d3d9849e1172049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
194e25bc836873ad7487a50ab435cf29

SHA1
b2b21c945978d08aa170075d23810a66a66d8875

SHA256
9869182708608cf4a9afaac42f9cd5dea85de003caa8517fbe11fcbbf8d04858

SHA512
14b2f0cad820bcca611238da4b182f78d1ea248befb26e6d4dc5edace120707223fd56a864b128bb885019cff48813294341c222ed5fae4e6bff5189c860edd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4ef861d4226b3fa9b86c205b4ecf3c13

SHA1
f0c37aa6a89ae90e45ce3c7df4490d7911e055ae

SHA256
71b4681698dccb7f1ca5eec57f541c8f456eeffa3321661149143aba106ae086

SHA512
92502d229425e03e1a2d4094fe7e680e8eaa71fea5ce05d8a327d68cf3de9bd8f3e236e17321eba08953cc346a83d293abb60af9a79e0d6b8421ef3fe57a1212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
05741da07752a0c77161fbb48e208bea

SHA1
70f2cc03c864555c178f1026aa95ecf454438d3a

SHA256
82032a5274c6324bfa84b746588d6e4981c304271ae4d4743d2de22af1bae5b7

SHA512
0455d84742a6114ce6cd29aebe35ce0373dae1f57cd3f2433bb75a6af8e6918d0ce9b290ed027870ca6700d4033ccbac89d3a485f2ade1dcd63305c189dc1f20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f6a17e0fea136d3e3aba297542a8bd8e

SHA1
681ac2e957582891b7fae4d79cda7d1f705e86db

SHA256
0bb5b070250d21933a4af8daa6ae185c776b184aba29c4d3fb2cb5944baebf06

SHA512
3bdc1cbcec575db5d1225a0354ead50b64e8fa2235111e19107a28790a9b3e29b9d6b9e6313f700c222e227b78c54e935863925fef1ab80ecb773c51001df8c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\c0683dbb-6db3-4c93-844a-61677be544e4\index-dir\the-real-index

Filesize
1KB

MD5
1bbe1eb06cc1a8e0d8fa56d18ea87331

SHA1
b5755ef9b6cb1ae377c61a0f2f3ffb7809d2060c

SHA256
0dd8ce8f92197c74e1aa2857b1fb55caf5123cd7c95bda615cfc535232b5d3d6

SHA512
9ab124e18198901fe54effe2ee5af92a4560176dd4f9837cb88ab8da020ca7401922081f2b55df85b687a0d0b272ee7f015be5cdabb8cd18e404a1e4119d1fea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\c0683dbb-6db3-4c93-844a-61677be544e4\index-dir\the-real-index~RFe59f5ef.TMP

Filesize
48B

MD5
c05c48bb32ecd02ac677fe8769a8dd7d

SHA1
04a699097ce504573c323385c3836b0cb5b84c06

SHA256
f6abccf7c598f5327c875eb4b051ff718b309e564bf2c787e86d30914c90e131

SHA512
7c0fcc45094303945823e50dfaad075c6b3b1eba9a5abbb938c3f876e904652e184d7cc4933941448958371cbb365fb80a759674fa011c1739ab4ba6ba3f0622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\da3fe8ab-475c-461c-8155-5bcdaf2fda93\index-dir\the-real-index

Filesize
72B

MD5
67f41261f2e9d2ce3f47c4e08f14c0ab

SHA1
f87435a07e00b597db40805ef5ed0b30904d8c14

SHA256
ddc1eace655c02765d1d2e02b8d5e7b712883a5fba46436e8d1300cf055a315e

SHA512
c323e926a95bf93ff2b1872cd8d6708ca7a7fe379c46f141f03210bef170922d42d12508209222c895203a06b78e8c0e705e403c3720c46af27ce56e7880f815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\da3fe8ab-475c-461c-8155-5bcdaf2fda93\index-dir\the-real-index~RFe59e323.TMP

Filesize
48B

MD5
664ffbf8f06aba3f8c1e6ce65fc61204

SHA1
233c1fec79d246dd9d0e39ba64ecffc5d7290fe9

SHA256
21336acc632e1a250d3f3c93ade7799f7f5d171c82b7554a96e13c5eb40e8aab

SHA512
429492b84add6c36dc30ef450e167025dcbb1995d4ca5756c539542a36461bc94dbd5fd498f4b942f4e23acece1788d5342a3f4f618decd8c73e656ee6c046f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
234B

MD5
4693b9ccb031f4d1ca0d27aca27ac18b

SHA1
947db409cc489490935abca3ce9d8c0f4db45999

SHA256
a6e9c7eb4d50676c354b38b7a548ff2fb108d591907488100d3c17d913b12abd

SHA512
42245f384f6e5202fd62cafc142d5172bb28d2580eb9767b9ffb4503979d5639ea9eba2ea0fd83b4dbe591dc812dd5dd3f9b0d80fcf277443c53b3541050341a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
237B

MD5
07f847e5631125de65865922ca7dd7ca

SHA1
4fe390d58de7572abc2d131a1e5b6793132327f1

SHA256
3b4b9402ec7cf5892bd5d26935084b9c9a078f82be1dbabeda9a1de6fa3347d6

SHA512
d3328eda00c65ccccaa26f3800a434e7e7af4f42fbeae2c6528e88b04b7ec9a8d77439fed8e76c644c1baee036f7749073d58119b2a68bf163b0a4a5099c1f89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt~RFe5994c4.TMP

Filesize
142B

MD5
82cd610fb534c7e27ebb801712854ad9

SHA1
011a92e003a9c0459226178632ad965f3d7464a7

SHA256
7461920e362e651a61ed11022b57896a41a8e24f0cb8f817ad80d918fffeb857

SHA512
3df6ee343a49a31d4d2b68fa4e7691b676d490e6b29f6c10e54f904827b4b423bedb14d6ac44cdabca907354ae690590c44642dc34cb661e759ac04f6957e62c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
7d4387656e9a569b1f32f1732a5f0ffd

SHA1
101e4d237c2e77e9335abaa31a2ba682c61d8f19

SHA256
ed6add23873dd6bb3313e6a271a91bb5450d0016aca5e2f3fdc0ac999e5178ef

SHA512
df286a14b31dc9c381edbfbba6798b3db6c4bd5e829efcd48e399bc73a75c80629c50fb95b5259c9c8d2ff9e8314aa98988079043f958471e7ead22f44a91321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
1d9592f98b9c7e72b968e325681e2dc1

SHA1
f2bb64565dab52ae623c41ad10ffd183228f1fa9

SHA256
e91c4450be2d3571d898f8ea663342229cff6934e6c452b363b7aef3d1baec8a

SHA512
60b50332be90409e96084a5625e70ba3dbd1861097336edc53de1e4e600ab0ca0ca22b5426a934ca2ec618e754fe40c957b15b274158101a2cec3e7ed1e7d383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
11e0623c628dae8f443bb91a65ce9c38

SHA1
3ef53b850c551a21088f10bf73d45a65fdee554d

SHA256
468c14f8fac71895ea3c0a24507f5087218562911fbab362abe2158e4a976b1c

SHA512
d94d606cf883969eccd7783bd5eca7ae05800f3c92c8988c5fc4451ad907e60fbf2bf4ea61b9664eba580b06c69b70be027dc6fa472e08f4ee2dc85e8dff32f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
0f95f09321d61a7852b68f05db77575d

SHA1
0e0953e4b0e40969ef254357c3bb83c33298fd78

SHA256
c2500c10e040cd051bf26559304a6862d5bd8c5b4e7d999bbc66841312a0a1a7

SHA512
6f23ef0cbffc8079c7fa2156164263bfa750581c0477f9b9b328c4413fa3314e77d89f4d896c2698b9f4936626bd769600c6f21c81518783c7b258439e58c12f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\53a29ac9-64b3-4323-87c9-c89b4882903b.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
ee8252f3757d92c12bf5d1d1ff15f260

SHA1
f38341200d9579cc1691c12d141f0c09dc31fa25

SHA256
9c1b019a2611806c159929ac2dd1c325daddd76ccbfc3668874bbef00951af33

SHA512
ef9bb6b67895cd233e62608471f1377cfc84d37fa676f2f729d8cbfc2edf07d8e9e1d21292bc2f0a442a118c801ccd50b3aba0d8c796149b93cb5d1729717292

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
f7362f87a128344e6f5656d242c591f2

SHA1
ca38945477a1eeb787c330a063a0ec5ce4537cd9

SHA256
bffaaaf4e6cecb4aa0261c259b3a17577ae2265b428e439f8d67f4b1272a3352

SHA512
853b3e2d29513093b504495080f8f8f18ed03c1f805843149818b03b9ab42a2d19d401c67cfe0c2c4575ef917b32e592aedbaafdd92874c7f0b81be941d95871

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\0e4df74cce0423376e6a782e4b3deb64

Filesize
7.0MB

MD5
0e4df74cce0423376e6a782e4b3deb64

SHA1
8db193e73416f1da44ad98f344d3ff207ace44ac

SHA256
8b9263763da2c73054426eb6a8de5c4e7f42ecd11e9c95a426b0c66aedd727ab

SHA512
ca3136acde16e33c80a0f50c5f73a2eda795ebf9a90f7bcd4803b5cf2c51135b2ec2ae40d06015ab6fe4b2b18bfc0a95712bc98dcf5f2cc85192bb715a021642

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe

Filesize
6.9MB

MD5
1c4187f0b612a9a473010dcc37c37a82

SHA1
34d46733452812d481adeedad5eaea2cf4342540

SHA256
c8d55b0f4f25caf135dabc7f21b9548263022107e9740dfe692b402469cd47bd

SHA512
075678e24a867d5630da324e934837d81a3fa1d848a15feeb2a7be268d38b81ca4210cd44a22e9869173edebecd1947968327ddce16a85b71c03e6307e365def

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Installer\MSI105B.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\Installer\MSI3C.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIFFBD.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
7b5004fb516d8e16301743126e5a9062

SHA1
b7e1c82b8d660bdeff80bc3382c864b587e479c9

SHA256
6c78af565d4ab263d46842e8add58d03469d56bfb2285647815c6eb8a765f626

SHA512
e28e218bf5c133c675f51b37cd190218cb986d000f4307570d9af34ee24c41434a923c0801c4fe1967685c6efe259b29f09484695f515c024cfe81bf3259d2ab

Download Submit
memory/992-2888-0x000001F4FDFA0000-0x000001F4FE4DC000-memory.dmp

Filesize
5.2MB

Download
memory/992-2892-0x000001F4FDCD0000-0x000001F4FDD82000-memory.dmp

Filesize
712KB

Download
memory/992-2890-0x000001F4FDC10000-0x000001F4FDCCA000-memory.dmp

Filesize
744KB

Download
memory/992-2886-0x000001F4E3350000-0x000001F4E3374000-memory.dmp

Filesize
144KB

Download
memory/1596-4260-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/1596-4261-0x0000000073160000-0x0000000073370000-memory.dmp

Filesize
2.1MB

Download
memory/1596-4297-0x0000000073160000-0x0000000073370000-memory.dmp

Filesize
2.1MB

Download
memory/1596-4409-0x0000000000160000-0x0000000000195000-memory.dmp

Filesize
212KB

Download
memory/2772-2470-0x000001806B1E0000-0x000001806B1F2000-memory.dmp

Filesize
72KB

Download
memory/2772-4-0x000001806A8F0000-0x000001806A912000-memory.dmp

Filesize
136KB

Download
memory/2772-2468-0x000001806A930000-0x000001806A93A000-memory.dmp

Filesize
40KB

Download
memory/2772-2893-0x00007FFE79A50000-0x00007FFE7A512000-memory.dmp

Filesize
10.8MB

Download
memory/2772-1-0x00007FFE79A53000-0x00007FFE79A55000-memory.dmp

Filesize
8KB

Download
memory/2772-0-0x0000018068A10000-0x0000018068ADE000-memory.dmp

Filesize
824KB

Download
memory/2772-31-0x00007FFE79A50000-0x00007FFE7A512000-memory.dmp

Filesize
10.8MB

Download
memory/2772-2-0x00007FFE79A50000-0x00007FFE7A512000-memory.dmp

Filesize
10.8MB

Download
memory/6088-4424-0x00007FFE9A940000-0x00007FFE9A950000-memory.dmp

Filesize
64KB

Download
memory/6088-4445-0x00007FFE983E0000-0x00007FFE983F0000-memory.dmp

Filesize
64KB

Download
memory/6088-4444-0x00007FFE98270000-0x00007FFE98280000-memory.dmp

Filesize
64KB

Download
memory/6088-4443-0x00007FFE98270000-0x00007FFE98280000-memory.dmp

Filesize
64KB

Download
memory/6088-4440-0x00007FFE9A770000-0x00007FFE9A790000-memory.dmp

Filesize
128KB

Download
memory/6088-4439-0x00007FFE9A770000-0x00007FFE9A790000-memory.dmp

Filesize
128KB

Download
memory/6088-4438-0x00007FFE9A770000-0x00007FFE9A790000-memory.dmp

Filesize
128KB

Download
memory/6088-4437-0x00007FFE9A770000-0x00007FFE9A790000-memory.dmp

Filesize
128KB

Download
memory/6088-4436-0x00007FFE9A750000-0x00007FFE9A760000-memory.dmp

Filesize
64KB

Download
memory/6088-4435-0x00007FFE9A750000-0x00007FFE9A760000-memory.dmp

Filesize
64KB

Download
memory/6088-4434-0x00007FFE9A6C0000-0x00007FFE9A6D0000-memory.dmp

Filesize
64KB

Download
memory/6088-4433-0x00007FFE9A6C0000-0x00007FFE9A6D0000-memory.dmp

Filesize
64KB

Download
memory/6088-4428-0x00007FFE9AAB0000-0x00007FFE9AAE0000-memory.dmp

Filesize
192KB

Download
memory/6088-4427-0x00007FFE9AAB0000-0x00007FFE9AAE0000-memory.dmp

Filesize
192KB

Download
memory/6088-4426-0x00007FFE9AA60000-0x00007FFE9AA70000-memory.dmp

Filesize
64KB

Download
memory/6088-4423-0x00007FFE9A940000-0x00007FFE9A950000-memory.dmp

Filesize
64KB

Download
memory/6088-4446-0x00007FFE983E0000-0x00007FFE983F0000-memory.dmp

Filesize
64KB

Download
memory/6088-4447-0x00007FFE98590000-0x00007FFE985A0000-memory.dmp

Filesize
64KB

Download
memory/6088-4448-0x00007FFE98590000-0x00007FFE985A0000-memory.dmp

Filesize
64KB

Download
memory/6088-4449-0x00007FFE98590000-0x00007FFE985A0000-memory.dmp

Filesize
64KB

Download
memory/6088-4450-0x00007FFE985B0000-0x00007FFE985C0000-memory.dmp

Filesize
64KB

Download
memory/6088-4451-0x00007FFE985B0000-0x00007FFE985C0000-memory.dmp

Filesize
64KB

Download
memory/6088-4453-0x00007FFE99B70000-0x00007FFE99B80000-memory.dmp

Filesize
64KB

Download
memory/6088-4454-0x00007FFE99B70000-0x00007FFE99B80000-memory.dmp

Filesize
64KB

Download
memory/6088-4455-0x00007FFE99BE0000-0x00007FFE99BF0000-memory.dmp

Filesize
64KB

Download
memory/6088-4456-0x00007FFE99BE0000-0x00007FFE99BF0000-memory.dmp

Filesize
64KB

Download
memory/6088-4457-0x00007FFE99C20000-0x00007FFE99C2D000-memory.dmp

Filesize
52KB

Download
memory/6088-4458-0x00007FFE99C20000-0x00007FFE99C2D000-memory.dmp

Filesize
52KB

Download
memory/6088-4459-0x00007FFE99C20000-0x00007FFE99C2D000-memory.dmp

Filesize
52KB

Download
memory/6088-4460-0x00007FFE99C20000-0x00007FFE99C2D000-memory.dmp

Filesize
52KB

Download
memory/6088-4461-0x00007FFE99C20000-0x00007FFE99C2D000-memory.dmp

Filesize
52KB

Download
memory/6088-4462-0x00007FFE9A1F0000-0x00007FFE9A200000-memory.dmp

Filesize
64KB

Download
memory/6088-4463-0x00007FFE9A1F0000-0x00007FFE9A200000-memory.dmp

Filesize
64KB

Download
memory/6088-4464-0x00007FFE9A1F0000-0x00007FFE9A200000-memory.dmp

Filesize
64KB

Download
memory/6088-4465-0x00007FFE9A210000-0x00007FFE9A219000-memory.dmp

Filesize
36KB

Download
memory/6088-4466-0x00007FFE9A210000-0x00007FFE9A219000-memory.dmp

Filesize
36KB

Download
memory/6088-4452-0x00007FFE985B0000-0x00007FFE985C0000-memory.dmp

Filesize
64KB

Download
memory/6088-4441-0x00007FFE9A770000-0x00007FFE9A790000-memory.dmp

Filesize
128KB

Download
memory/6088-4442-0x00007FFE9A860000-0x00007FFE9A86C000-memory.dmp

Filesize
48KB

Download
memory/6088-4429-0x00007FFE9AAB0000-0x00007FFE9AAE0000-memory.dmp

Filesize
192KB

Download
memory/6088-4430-0x00007FFE9AAB0000-0x00007FFE9AAE0000-memory.dmp

Filesize
192KB

Download
memory/6088-4432-0x00007FFE9AB40000-0x00007FFE9AB49000-memory.dmp

Filesize
36KB

Download
memory/6088-4431-0x00007FFE9AAB0000-0x00007FFE9AAE0000-memory.dmp

Filesize
192KB

Download