8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-12-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3968	Bloxstrap-v2.8.1.exe
7196	RobloxPlayerBeta.exe

Loads dropped DLL 1 IoCs

pid	Process
7196	RobloxPlayerBeta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
39	camo.githubusercontent.com
40	camo.githubusercontent.com
41	camo.githubusercontent.com
42	camo.githubusercontent.com
2	raw.githubusercontent.com
6	camo.githubusercontent.com
37	camo.githubusercontent.com
38	camo.githubusercontent.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
7196	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe
7196	RobloxPlayerBeta.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3608	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776912613349060"	chrome.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox\shell	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player\DefaultIcon	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player\shell	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player\shell\open\command	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player\URL Protocol	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox\shell\open\command	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox\shell\open	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox\URL Protocol	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" -player \"%1\""	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox\DefaultIcon	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" -player \"%1\""	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\roblox-player\shell\open	Bloxstrap-v2.8.1.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:Zone.Identifier:$DATA	Bloxstrap-v2.8.1.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
3968	Bloxstrap-v2.8.1.exe
7196	RobloxPlayerBeta.exe
7708	chrome.exe
7708	chrome.exe
7708	chrome.exe
7708	chrome.exe
8396	msedge.exe
8396	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
9564	msedge.exe
9564	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
3968	Bloxstrap-v2.8.1.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
7196	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2372	1744	Bootstrapper.exe	79
PID 1744 wrote to memory of 2372	1744	Bootstrapper.exe	79
PID 2372 wrote to memory of 3608	2372	cmd.exe	81
PID 2372 wrote to memory of 3608	2372	cmd.exe	81
PID 4896 wrote to memory of 2592	4896	chrome.exe	85
PID 4896 wrote to memory of 2592	4896	chrome.exe	85
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2040	4896	chrome.exe	86
PID 4896 wrote to memory of 2704	4896	chrome.exe	87
PID 4896 wrote to memory of 2704	4896	chrome.exe	87
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88
PID 4896 wrote to memory of 860	4896	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff04f3cc40,0x7fff04f3cc4c,0x7fff04f3cc58
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4608,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5000,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5464,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4268,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5480,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4172
- C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe
  "C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3968
- - C:\Users\Admin\AppData\Local\Bloxstrap\Roblox\Player\RobloxPlayerBeta.exe
    "C:\Users\Admin\AppData\Local\Bloxstrap\Roblox\Player\RobloxPlayerBeta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:7196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/bloxstraplabs/bloxstrap/wiki/Switching-between-Roblox-and-Bloxstrap
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff0db53cb8,0x7fff0db53cc8,0x7fff0db53cd8
      4⤵
      PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,2921198931385629726,11341519964045604642,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
      4⤵
      PID:8348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,2921198931385629726,11341519964045604642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:8396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,2921198931385629726,11341519964045604642,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:8524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2921198931385629726,11341519964045604642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:8660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2921198931385629726,11341519964045604642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:8672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,2921198931385629726,11341519964045604642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:9564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5452,i,5860582607228261140,10597127638829566356,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7708

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloxstrap\Roblox\Player\RobloxPlayerBeta.dll

Filesize
15.4MB

MD5
9419504cc7349b84397f71c572caf877

SHA1
b20dceec1f2594a4735d5a67ce4000b6c70bfb44

SHA256
8cb59614144afe49a6789e860a1808c09ac5182340ef5ce5a17b18810b513ad4

SHA512
e219059ee50ff8876f9495e8e12fa149eb49e431a092579b7090f9f8b238cf547f552361d7c8cca4a2900eb0630230cc4c9ad8480e79fdd1c2974b4578dea7e9

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7b4d1aa83e37c738530647f1ea829c40

SHA1
dc9c67ee18ab93efdcb33090564c2a469083b061

SHA256
55355ea49897b5286ca4f3c733d2f3b18f107ef56f76d7af946d2136bbd62816

SHA512
5977776709d7882708a20674183450e4a7649beb607cf52715e0f672b2b2c2d18b4f2540d5b2124ef41e6c3b601397117a49e2e932c13f27a1e6a4d12092e532

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c8bde2e7051425ce5acdf9f5aab6f1b6

SHA1
93b2b9cf0c6af7e61ec27285cfeb4070e67dfd87

SHA256
959f8113b8e282d2894ef4fa0dcd3f3803b25344028e00ad4ddeaf4f82efe92d

SHA512
dbfe00f8e61057de5e90c7f7af08ced5c612a99bfbcc9c38dd0fcb6c424abd0debe2f814bf03f2ebd85bbe77bbe31b1acfb14979a0d53ec312d8fbf6e8877b33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2a737963-fa82-40ef-9cbf-c63995957666.tmp

Filesize
356B

MD5
3c6776deb2a7b9de48a2974fc06e32f6

SHA1
a97d4632ab6acf9e59c507445bb0ed9e3fbe57d0

SHA256
ebdfc4a0b3e0bd2ceca4ab0dbd836abea5257ac8e8347f3b00ad92f0722fc449

SHA512
971a8f7dae6759600e26b2457dc503c4dbd7e95b5d55f14a3d185e214ad89cd43dc993e9736907d6ebed8622baa2b239df4a549dfd74093f595dd50fcd716a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
70d853c2c18fb3600117320fe9d6d2e5

SHA1
02a6c880531fcde00c13184bdd5ee2841500709b

SHA256
49d45391c00ca5cb09ead815b502746678cb9d8f2f48ff03244cb36fea655a7c

SHA512
ccfcc9bb0f1a79a046d1911dc0208167876170273312d72e8309d6431811d060579b976ffae8280133c32bc4549c2c9fabdc1c0e22b933bd1effb5f7bb9a1734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6a252ba7d6a49f3ae6ed255c944e851e

SHA1
114d8275b6a207662626be6512f4c3edd8d63bd6

SHA256
5640e7aee833532a7c524ddc44af1a883d998553ed31786e3f1a90247af70ce6

SHA512
2e725a9ae3c4ecef26b2e91ce6acfe05ef81aa1f89119c4bcaaff6c13e793b719f07f03a5fe98042598d0f1853f14b256b9b6d8a2f9faab608fedacc2307d623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fbdf557c68704f77ef6309a6541a2792

SHA1
1d89545305c367712d6fded48888f48706c0d929

SHA256
58a09d7294517096cc43eeaa7832999ec2d6ee4de98ee63988a9a641a6ea168a

SHA512
394d438f9e8bd5f98726e4636c33d04d28eb321adfb298d351d90c1c97f71b29456380cc8ef4f76ea323e35b156a0cbd2a055dd9fbb61e238f309381ef44f731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b0d51a73c4edd83bf5d8dc099d95a585

SHA1
e7190ffd2c7fdd4bbf77c54c4a58f046e9476dd1

SHA256
b95f60ee9b28ceadc6546c8432347adbbcff01b0f7b26ebbc7088c6d6315edc9

SHA512
f6830935c2c2e458c17e05f3f7c3af5f27f81ccbb08d9ca898fb5e66cc14ed52a7f14c62824fa71b708cc9b1ae0acc27a4348a8ccdb18d2e9ab93c44496c7daf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
637f8fca0b88ec1ed738dc34fb0984f2

SHA1
7d10bb4be1b98fef62b438d7a5e9d5d00eb5d5ee

SHA256
322564ad5b7d3bf9f545a44cd412dc44a97deae749b646d599c7c04e55b380af

SHA512
12e9e7577c9edc648bf362db6895aac263ffde930263aea6f51f46a7fc52a715fd21cafeff3d46cec47686dee97b7d662ef7c0f3e1a1a8d8a893d090337f4f2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
bfaae85b770ddffadf82627439772b72

SHA1
796648123e7e0b462a2b42dbbc144069ddf2a92d

SHA256
d0245f68c193cde17acd9cc99fb25ff075a4fde6c21e2f9079f737705a06f355

SHA512
0fd4e9ee183e8afcc65b705009b280d3ddeaca12d1e17716eefb9c79b8d945eaf830b3b2a106d486e051da724d2d8af367595a1a333257b1e325283674f8d0e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
be5ac17924bc1d0b73688475b53b68d7

SHA1
6fecee0472d2ea5e75c6c8e184f9178b40dad3e0

SHA256
4445abf3b04fcb56469d0c25170d40ea98144ebc496ae8baac4eee9a610e16b7

SHA512
439ad78b8359b25404f894418627aeafbbe7b890434f5b8e67b6853e63f21d55200b9de1a278cda1ea57ddc951a6299b00e20dbf56b3b081e042a7e52b9bdd47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7b33e8ee0cc4d62de3c64ed50e0b023c

SHA1
14f379dce5e8f4944c8a9989b085cf463bb5c3ac

SHA256
e22f83feea5bac105be1d546102d341f6274f8fd3e7126ea6d3d4b01aa54f62b

SHA512
66807322b3777ac3c93d451107b6433a18031d604010dbdf18351914f33671876eb4e0ffa99adb19461c0e93f9cc0dfcc9c53f399b7457a2ddc6371b8f86feec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
810303457b5d577c359655a229ebe674

SHA1
b4fef295ec9c520d5133bdcefa8d85a98eda251f

SHA256
7030a22286ea27aad2ea738e06fc5cd01d37c188a76eb8275de0901b4d278a27

SHA512
c091bfb618101ace90853405d0bcf3b093afd3c162d80547f1662b0afb3a5c0491881bd0773bec8876b8620831b158c7c5f7a1ebda0a198c797c7a0c03823f06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
14b9829f37c27c9b34388975f05a4a7f

SHA1
30f804b59dd3539e7d46607145cb55608318ed28

SHA256
cd2b6994ebe134eaaaea228f2439fe72ec29059a412d052126f0eadcf0a1e608

SHA512
89e56c2a64e223b016d796d1ea8b8cc5098cc633ea6d88ce3b3e8ff0d26589b133132394c1debd0e697fbcbb6fa3023b090d0f5691e1bee8d7ad8ff8bb766c0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f4222fe109f8d10ae78fe475ab13b418

SHA1
d24be042bb1824f6d0453f569b73c8b39eba180a

SHA256
5c52dbaa40123bbce50df5db52b1de3eff29d9ba2469d71ffc3bc596a3800e6a

SHA512
74243b003343ec81cd80489ecf186a18618ddc2d8cd5da3dac4cc8a0ba2a22a50c6502b73f2891bdde953c75723a575b1e14f069cc8b9bb68bab020849925f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b461d295d7e560400532c57b23c51311

SHA1
c5e9ca3b087b5dd6f167d2b0aa14751ddb71194b

SHA256
ad43a31b9eaa0fce5a950a23363ed46288aa6a1b892001566add1c0408004b46

SHA512
c49589cc2f6d57a03dcbdd125a1180821661c087a43955e9a549f395cf303ae3353c1777f72b1fa5e743a4b3966c6e8cde064ca61e626635f46b40a321ccf2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9394ca607d8579704c3b6297c94c0c8

SHA1
98b61987cedfcb5609136c9f737e6fb16224da5f

SHA256
422213b2e4404f2a001582cbd7f67fed7a314fdf749bf1ad70f0044209d99d34

SHA512
443db691ded70a7ea341f9c77cafc54e2d6348379b450198fcbff199ce247ec9d919fc680b39cb66456293666cd8fef9de051aa4d151d4529cfd8162216ca7cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7813738c07c7f3a95d16265fe4ee86c1

SHA1
872383ca9ddb5f8102b6eb9c3b5e17ef9312e2fc

SHA256
46b7579057a4798f4fc85e4cfe120b67278fb2e9780efeeb2451937a46657d01

SHA512
b90edd920e5667da5de494a7f76a53b5f0ed0dd4e48e56a28624e1492261d88094053400638b3ebd19035c35c3d50c2f850cb4d6f3d06180c9f96cfaea33309a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8ecde76dc40a5c5304f8c160616b41b9

SHA1
107c3dbd627e8caaa9abcc640fdd9fcde03c8f55

SHA256
a519bf67a75a217bea07196719c2cf794c3e1edf3e5aca0d33c8645228250310

SHA512
329e6ccbb16e9eeb38bc32c6cb17b9e01388422e6a237e61833eed14f7f3e02e182642e386c751880f2e8071f97c74ce3a9cfdfab2fffd061c47e1f0b9ebff64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3e2e93ae8e61bee7173707b2e1cb0540

SHA1
fc9c0b334ec88bd5bd1b6bf2abb81fe6ae4d0dd4

SHA256
bd97ceae97abc64c4846a25d8bd951979bfcedf1b48f695cb47378030c107de6

SHA512
d95290c2558b8dbb475ed0f91ea5adf3b87e420cb332a14533003943c340cd8d9033ac77a273e40f54132c46cc74434980f36f5c268e44393e88b489f1c3e38d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
966b12cfc524913607276f735785cb34

SHA1
757f421d3954088fa77a4be3d460e6e027edbc3a

SHA256
3fa51a2359c59fe6d7bf9dc19e9862e0f469b9520bdde28d8fa567dbe7a1420c

SHA512
f65708abf34faaf27cd2a42ec2f8678453d8cedc2ced318b73bc0b435d8fdc10a1964cad9aeb744323a8daa94bffa791297f18b35a287ac73b9310a62a9865b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
972a51231732915ff9990116ba8c3a60

SHA1
aca6d8847505ecbda23478f389bf6db2096ae7f0

SHA256
9630bdbd7f76dd53643d7cc02bbb2504bd119b0d99a4ed9b622c46e5f6297492

SHA512
98999c851c0e1ea2cceb697ba9306df4fa275879e1f664278900874da90493083ded6ab2674a56a38b39721cf8bd3ad0e38d4047c6b806bd5a960f2357fac096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
05619abdb1e906230cb8168f27bbc8b9

SHA1
b44b90a00b43c7bbc24506aa2fe5e664c91d3cfe

SHA256
9ef43202dcc7b3ef2a615ae0440231ab864739bcf73cfcac265a7f05f40a9961

SHA512
70ddf99b78df02ab6996f75f0e540db8c024085da9b7bce5cbeab519b9e665133b04c8c32fd913a93bbcba3ae74bfb7f781fc721bfccbf7186b2712ed90aead5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
0bbc107af4307c78db0be349530d13de

SHA1
a116c5110f181e1e70b0c9383a57b63392db623e

SHA256
6c0a17812e96123067b7aa01dc9bc5c1c16e03acc5e25f7c27df7d08b26333b4

SHA512
9b656ac71bb4cc99a64d625b2d5005e983ee3bc09defed29bd4fbc4aa0819bb3cea77a542f37f582853a29bb75a09b800b2d1dc544315f13e5ce9a88b7e13422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7818132a-c5be-4122-acf3-55f1b2ea71b4.tmp

Filesize
5KB

MD5
dc251f5a3d1c72939a4a0e291112a66a

SHA1
82323e0b4b0b6ae201db9812f0bd6b8bc2de872b

SHA256
7b06d7075bdb10df2536847c68c3241d9173aed8bb8cb22aa8fd4f007f78050d

SHA512
d185ef4fae7d8ad2256a909ffd88336ad36a4baa24902c2978c451ca5a9ea4f1ad4e26aa2dbb61d3d8eabaa5e9d1b079b6c49cb7a9a1eed73af029d0aab98b95

Download Submit
C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 81939.crdownload

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
memory/1744-0-0x00007FFEF38D3000-0x00007FFEF38D5000-memory.dmp

Filesize
8KB

Download
memory/1744-34-0x00007FFEF38D3000-0x00007FFEF38D5000-memory.dmp

Filesize
8KB

Download
memory/1744-1-0x000001F666C80000-0x000001F666D4E000-memory.dmp

Filesize
824KB

Download
memory/7196-4070-0x00007FFF11F80000-0x00007FFF11F90000-memory.dmp

Filesize
64KB

Download
memory/7196-4047-0x00007FFF123A0000-0x00007FFF123B0000-memory.dmp

Filesize
64KB

Download
memory/7196-4080-0x00007FFF11FE0000-0x00007FFF12006000-memory.dmp

Filesize
152KB

Download
memory/7196-4079-0x00007FFF11FE0000-0x00007FFF12006000-memory.dmp

Filesize
152KB

Download
memory/7196-4078-0x00007FFF11FE0000-0x00007FFF12006000-memory.dmp

Filesize
152KB

Download
memory/7196-4077-0x00007FFF11FE0000-0x00007FFF12006000-memory.dmp

Filesize
152KB

Download
memory/7196-4076-0x00007FFF11FB0000-0x00007FFF11FD0000-memory.dmp

Filesize
128KB

Download
memory/7196-4075-0x00007FFF11FB0000-0x00007FFF11FD0000-memory.dmp

Filesize
128KB

Download
memory/7196-4074-0x00007FFF11FB0000-0x00007FFF11FD0000-memory.dmp

Filesize
128KB

Download
memory/7196-4073-0x00007FFF11FB0000-0x00007FFF11FD0000-memory.dmp

Filesize
128KB

Download
memory/7196-4072-0x00007FFF11FB0000-0x00007FFF11FD0000-memory.dmp

Filesize
128KB

Download
memory/7196-4071-0x00007FFF11F80000-0x00007FFF11F90000-memory.dmp

Filesize
64KB

Download
memory/7196-4082-0x00007FFF14710000-0x00007FFF14711000-memory.dmp

Filesize
4KB

Download
memory/7196-4069-0x00007FFF11E70000-0x00007FFF11E80000-memory.dmp

Filesize
64KB

Download
memory/7196-4068-0x00007FFF11E70000-0x00007FFF11E80000-memory.dmp

Filesize
64KB

Download
memory/7196-4067-0x00007FFF12B30000-0x00007FFF12B39000-memory.dmp

Filesize
36KB

Download
memory/7196-4066-0x00007FFF12B30000-0x00007FFF12B39000-memory.dmp

Filesize
36KB

Download
memory/7196-4065-0x00007FFF12B30000-0x00007FFF12B39000-memory.dmp

Filesize
36KB

Download
memory/7196-4064-0x00007FFF12B30000-0x00007FFF12B39000-memory.dmp

Filesize
36KB

Download
memory/7196-4063-0x00007FFF12B30000-0x00007FFF12B39000-memory.dmp

Filesize
36KB

Download
memory/7196-4062-0x00007FFF12B10000-0x00007FFF12B20000-memory.dmp

Filesize
64KB

Download
memory/7196-4061-0x00007FFF12B10000-0x00007FFF12B20000-memory.dmp

Filesize
64KB

Download
memory/7196-4060-0x00007FFF12B10000-0x00007FFF12B20000-memory.dmp

Filesize
64KB

Download
memory/7196-4058-0x00007FFF12B00000-0x00007FFF12B0D000-memory.dmp

Filesize
52KB

Download
memory/7196-4057-0x00007FFF12B00000-0x00007FFF12B0D000-memory.dmp

Filesize
52KB

Download
memory/7196-4056-0x00007FFF12B00000-0x00007FFF12B0D000-memory.dmp

Filesize
52KB

Download
memory/7196-4055-0x00007FFF12B00000-0x00007FFF12B0D000-memory.dmp

Filesize
52KB

Download
memory/7196-4054-0x00007FFF12AC0000-0x00007FFF12AD0000-memory.dmp

Filesize
64KB

Download
memory/7196-4053-0x00007FFF12AC0000-0x00007FFF12AD0000-memory.dmp

Filesize
64KB

Download
memory/7196-4052-0x00007FFF12A50000-0x00007FFF12A60000-memory.dmp

Filesize
64KB

Download
memory/7196-4051-0x00007FFF12A50000-0x00007FFF12A60000-memory.dmp

Filesize
64KB

Download
memory/7196-4081-0x00007FFF11FE0000-0x00007FFF12006000-memory.dmp

Filesize
152KB

Download
memory/7196-4046-0x00007FFF123A0000-0x00007FFF123B0000-memory.dmp

Filesize
64KB

Download
memory/7196-4045-0x00007FFF123A0000-0x00007FFF123B0000-memory.dmp

Filesize
64KB

Download
memory/7196-4044-0x00007FFF121F0000-0x00007FFF12200000-memory.dmp

Filesize
64KB

Download
memory/7196-4043-0x00007FFF121F0000-0x00007FFF12200000-memory.dmp

Filesize
64KB

Download
memory/7196-4042-0x00007FFF12080000-0x00007FFF12090000-memory.dmp

Filesize
64KB

Download
memory/7196-4041-0x00007FFF12080000-0x00007FFF12090000-memory.dmp

Filesize
64KB

Download
memory/7196-4048-0x00007FFF123C0000-0x00007FFF123D0000-memory.dmp

Filesize
64KB

Download
memory/7196-4040-0x00007FFF12950000-0x00007FFF1295C000-memory.dmp

Filesize
48KB

Download
memory/7196-4039-0x00007FFF12860000-0x00007FFF12880000-memory.dmp

Filesize
128KB

Download
memory/7196-4038-0x00007FFF12860000-0x00007FFF12880000-memory.dmp

Filesize
128KB

Download
memory/7196-4037-0x00007FFF12860000-0x00007FFF12880000-memory.dmp

Filesize
128KB

Download
memory/7196-4036-0x00007FFF12860000-0x00007FFF12880000-memory.dmp

Filesize
128KB

Download
memory/7196-4035-0x00007FFF12860000-0x00007FFF12880000-memory.dmp

Filesize
128KB

Download
memory/7196-4034-0x00007FFF12840000-0x00007FFF12850000-memory.dmp

Filesize
64KB

Download
memory/7196-4033-0x00007FFF12840000-0x00007FFF12850000-memory.dmp

Filesize
64KB

Download
memory/7196-4032-0x00007FFF127B0000-0x00007FFF127C0000-memory.dmp

Filesize
64KB

Download
memory/7196-4031-0x00007FFF127B0000-0x00007FFF127C0000-memory.dmp

Filesize
64KB

Download
memory/7196-4026-0x00007FFF14890000-0x00007FFF148C0000-memory.dmp

Filesize
192KB

Download
memory/7196-4024-0x00007FFF14840000-0x00007FFF14850000-memory.dmp

Filesize
64KB

Download
memory/7196-4023-0x00007FFF14840000-0x00007FFF14850000-memory.dmp

Filesize
64KB

Download
memory/7196-4022-0x00007FFF14720000-0x00007FFF14730000-memory.dmp

Filesize
64KB

Download
memory/7196-4083-0x00007FFF14890000-0x00007FFF148C0000-memory.dmp

Filesize
192KB

Download
memory/7196-4084-0x00007FFF14890000-0x00007FFF148C0000-memory.dmp

Filesize
192KB

Download
memory/7196-4059-0x00007FFF12B00000-0x00007FFF12B0D000-memory.dmp

Filesize
52KB

Download
memory/7196-4050-0x00007FFF123C0000-0x00007FFF123D0000-memory.dmp

Filesize
64KB

Download
memory/7196-4049-0x00007FFF123C0000-0x00007FFF123D0000-memory.dmp

Filesize
64KB

Download
memory/7196-4027-0x00007FFF14890000-0x00007FFF148C0000-memory.dmp

Filesize
192KB

Download
memory/7196-4028-0x00007FFF14890000-0x00007FFF148C0000-memory.dmp

Filesize
192KB

Download
memory/7196-4029-0x00007FFF14890000-0x00007FFF148C0000-memory.dmp

Filesize
192KB

Download
memory/7196-4030-0x00007FFF14920000-0x00007FFF14929000-memory.dmp

Filesize
36KB

Download
memory/7196-4025-0x00007FFF14890000-0x00007FFF148C0000-memory.dmp

Filesize
192KB

Download
memory/7196-4021-0x00007FFF14720000-0x00007FFF14730000-memory.dmp

Filesize
64KB

Download