8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Resubmissions

12-12-2024 00:14

241212-ajt12sxrdj 8

Analysis

max time kernel
178s
max time network
180s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.23.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3896	Bloxstrap-v2.8.1.exe
4888	RobloxPlayerBeta.exe

Loads dropped DLL 12 IoCs

pid	Process
2560	MsiExec.exe
2560	MsiExec.exe
3860	MsiExec.exe
3860	MsiExec.exe
3860	MsiExec.exe
3860	MsiExec.exe
3860	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
1472	MsiExec.exe
2560	MsiExec.exe
4888	RobloxPlayerBeta.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	4520	msiexec.exe
10	4520	msiexec.exe
11	4520	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
44	camo.githubusercontent.com
45	camo.githubusercontent.com
46	camo.githubusercontent.com
47	camo.githubusercontent.com
48	camo.githubusercontent.com
49	camo.githubusercontent.com
12	camo.githubusercontent.com
13	raw.githubusercontent.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4888	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe
4888	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-prefix.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\sentence.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\lte.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\binary-extensions\binary-extensions.json.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\deduper.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tlog\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ip\lib\ip.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\lib\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\compile_commands_json.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\logout.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\rm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\which\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\common-ancestor-path\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\snapshot.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\duplexify.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\client\error.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\outside.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff-apply\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\namespace.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\nopt\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\hosted-git-info\lib\parse-url.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\depd\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\defaults\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\log-shim.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\Find-VisualStudio.cs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string_decoder\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-view.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-lambda\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\types.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\corepack.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\metadata.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\get-identity.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\brace-expansion\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\are-we-there-yet\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\example\center.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\env-replace.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\printable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\eclipse.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\example\dns.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\workspaces.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-correct\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\merkle\digest.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\node_modules\ms\license.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-bugs.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wcwidth\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\delegates\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\rebuild.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agent-base\dist\src\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\deepest-nesting-target.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\defaults\index.js	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIAA69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAB9.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0C6.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a690.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF38EADE61E8B5A7E5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0F6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAEB.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA3C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB62FE6C1FF3B61BC.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA99.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBACA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE8C4.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF36A5EDC3A625FCB.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a690.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFBB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE75C.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a694.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0EFEB41F15B2F8C0.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3572	ipconfig.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player\DefaultIcon	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox\shell\open\command	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox\URL Protocol	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player\shell	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player\URL Protocol	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox\DefaultIcon	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" -player \"%1\""	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox\shell	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player\shell\open\command	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" -player \"%1\""	Bloxstrap-v2.8.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox\shell\open	Bloxstrap-v2.8.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\roblox-player\shell\open	Bloxstrap-v2.8.1.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 209881.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:SmartScreen:$DATA	Bloxstrap-v2.8.1.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:Zone.Identifier:$DATA	Bloxstrap-v2.8.1.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3996	BootstrapperV1.23.exe
3996	BootstrapperV1.23.exe
4520	msiexec.exe
4520	msiexec.exe
564	msedge.exe
564	msedge.exe
3568	msedge.exe
3568	msedge.exe
3036	identity_helper.exe
3036	identity_helper.exe
3440	msedge.exe
3440	msedge.exe
3656	msedge.exe
3656	msedge.exe
3896	Bloxstrap-v2.8.1.exe
3896	Bloxstrap-v2.8.1.exe
4888	RobloxPlayerBeta.exe
3568	msedge.exe
3568	msedge.exe
5592	msedge.exe
5592	msedge.exe
2748	msedge.exe
2748	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
5592	msedge.exe
5592	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3656	WMIC.exe
Token: SeSecurityPrivilege	3656	WMIC.exe
Token: SeTakeOwnershipPrivilege	3656	WMIC.exe
Token: SeLoadDriverPrivilege	3656	WMIC.exe
Token: SeSystemProfilePrivilege	3656	WMIC.exe
Token: SeSystemtimePrivilege	3656	WMIC.exe
Token: SeProfSingleProcessPrivilege	3656	WMIC.exe
Token: SeIncBasePriorityPrivilege	3656	WMIC.exe
Token: SeCreatePagefilePrivilege	3656	WMIC.exe
Token: SeBackupPrivilege	3656	WMIC.exe
Token: SeRestorePrivilege	3656	WMIC.exe
Token: SeShutdownPrivilege	3656	WMIC.exe
Token: SeDebugPrivilege	3656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3656	WMIC.exe
Token: SeRemoteShutdownPrivilege	3656	WMIC.exe
Token: SeUndockPrivilege	3656	WMIC.exe
Token: SeManageVolumePrivilege	3656	WMIC.exe
Token: 33	3656	WMIC.exe
Token: 34	3656	WMIC.exe
Token: 35	3656	WMIC.exe
Token: 36	3656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3656	WMIC.exe
Token: SeSecurityPrivilege	3656	WMIC.exe
Token: SeTakeOwnershipPrivilege	3656	WMIC.exe
Token: SeLoadDriverPrivilege	3656	WMIC.exe
Token: SeSystemProfilePrivilege	3656	WMIC.exe
Token: SeSystemtimePrivilege	3656	WMIC.exe
Token: SeProfSingleProcessPrivilege	3656	WMIC.exe
Token: SeIncBasePriorityPrivilege	3656	WMIC.exe
Token: SeCreatePagefilePrivilege	3656	WMIC.exe
Token: SeBackupPrivilege	3656	WMIC.exe
Token: SeRestorePrivilege	3656	WMIC.exe
Token: SeShutdownPrivilege	3656	WMIC.exe
Token: SeDebugPrivilege	3656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3656	WMIC.exe
Token: SeRemoteShutdownPrivilege	3656	WMIC.exe
Token: SeUndockPrivilege	3656	WMIC.exe
Token: SeManageVolumePrivilege	3656	WMIC.exe
Token: 33	3656	WMIC.exe
Token: 34	3656	WMIC.exe
Token: 35	3656	WMIC.exe
Token: 36	3656	WMIC.exe
Token: SeDebugPrivilege	3996	BootstrapperV1.23.exe
Token: SeShutdownPrivilege	3208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3208	msiexec.exe
Token: SeSecurityPrivilege	4520	msiexec.exe
Token: SeCreateTokenPrivilege	3208	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3208	msiexec.exe
Token: SeLockMemoryPrivilege	3208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3208	msiexec.exe
Token: SeMachineAccountPrivilege	3208	msiexec.exe
Token: SeTcbPrivilege	3208	msiexec.exe
Token: SeSecurityPrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeLoadDriverPrivilege	3208	msiexec.exe
Token: SeSystemProfilePrivilege	3208	msiexec.exe
Token: SeSystemtimePrivilege	3208	msiexec.exe
Token: SeProfSingleProcessPrivilege	3208	msiexec.exe
Token: SeIncBasePriorityPrivilege	3208	msiexec.exe
Token: SeCreatePagefilePrivilege	3208	msiexec.exe
Token: SeCreatePermanentPrivilege	3208	msiexec.exe
Token: SeBackupPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeShutdownPrivilege	3208	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3896	Bloxstrap-v2.8.1.exe
3568	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4888	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4820	3996	BootstrapperV1.23.exe	80
PID 3996 wrote to memory of 4820	3996	BootstrapperV1.23.exe	80
PID 4820 wrote to memory of 3572	4820	cmd.exe	82
PID 4820 wrote to memory of 3572	4820	cmd.exe	82
PID 3996 wrote to memory of 4164	3996	BootstrapperV1.23.exe	83
PID 3996 wrote to memory of 4164	3996	BootstrapperV1.23.exe	83
PID 4164 wrote to memory of 3656	4164	cmd.exe	85
PID 4164 wrote to memory of 3656	4164	cmd.exe	85
PID 3996 wrote to memory of 3208	3996	BootstrapperV1.23.exe	87
PID 3996 wrote to memory of 3208	3996	BootstrapperV1.23.exe	87
PID 4520 wrote to memory of 2560	4520	msiexec.exe	91
PID 4520 wrote to memory of 2560	4520	msiexec.exe	91
PID 4520 wrote to memory of 3860	4520	msiexec.exe	92
PID 4520 wrote to memory of 3860	4520	msiexec.exe	92
PID 4520 wrote to memory of 3860	4520	msiexec.exe	92
PID 3568 wrote to memory of 1496	3568	msedge.exe	94
PID 3568 wrote to memory of 1496	3568	msedge.exe	94
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 2044	3568	msedge.exe	95
PID 3568 wrote to memory of 564	3568	msedge.exe	96
PID 3568 wrote to memory of 564	3568	msedge.exe	96
PID 3568 wrote to memory of 1600	3568	msedge.exe	97
PID 3568 wrote to memory of 1600	3568	msedge.exe	97
PID 3568 wrote to memory of 1600	3568	msedge.exe	97
PID 3568 wrote to memory of 1600	3568	msedge.exe	97
PID 3568 wrote to memory of 1600	3568	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 5E66D8C9B3F7FC838A300607A0F4C8F8
  2⤵
  - Loads dropped DLL
  PID:2560
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7A6DB84F40F42E4DECC5C6CD761B6A58
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 32440F2E52D2475E9F2027B0AD386806 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1472
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9dc03cb8,0x7ffe9dc03cc8,0x7ffe9dc03cd8
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:1864
- C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe
  "C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3896
- - C:\Users\Admin\AppData\Local\Bloxstrap\Roblox\Player\RobloxPlayerBeta.exe
    "C:\Users\Admin\AppData\Local\Bloxstrap\Roblox\Player\RobloxPlayerBeta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,14069888036230222382,6813846826124895400,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004CC
1⤵
PID:3432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xec,0x10c,0x7ffe9dc03cb8,0x7ffe9dc03cc8,0x7ffe9dc03cd8
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8368028315870594891,6434059924989928586,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:6152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8368028315870594891,6434059924989928586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8368028315870594891,6434059924989928586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:6204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8368028315870594891,6434059924989928586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:6292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8368028315870594891,6434059924989928586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:6304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8368028315870594891,6434059924989928586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3824 /prefetch:8
  2⤵
  PID:6884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a693.rbs

Filesize
1.0MB

MD5
1a267dfa0063b89091adcef7886a527c

SHA1
da3328841d9c1469ef9b60c05b0226b29c81b4eb

SHA256
450a1bfb08c06804678e2fc988884b661118cc894225efa1710152e14f8251c2

SHA512
4d37c4f073ca377e9e9bda289d9386b37fce7bd82e0305c8a500c8d76384ef01b84767d0771865641791796deb8ea7ada7bfde7022d00aaa273d7d6653213a8f

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Roblox\Player\RobloxPlayerBeta.dll

Filesize
15.3MB

MD5
944e3c01d10ea19d48ab028741a6604d

SHA1
6aec8d5dd1a4c573161d2e042fe94047ac18a034

SHA256
3dafd8d5e14f3dfc5c6fc1b76667828b2c76bda62a7a22478a4ed3bffad14260

SHA512
435c1197320f1d792fd9f37fa44792794b728784fb7b0e3f2ed25d31f4276342fd6a7562b70eb0ce7475823179a55c13f2ceef0d51c503ecef60ea960ef1a456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
07fd01d492742b60a16fde0481a61103

SHA1
567de586760a629cbd60ea09e20721d49a7ee28c

SHA256
c4725bd3586ff4c9cf7ae4bd9078cdb58b5634059e79acea727a75b26ccac5a9

SHA512
a76a511549abc493acf2d8475eba6160f7670fbe539e9f901be0b5bcf165e4f9ff7c6604bbc8c8184d33522a5c88fd4b8a99b9ad976be61c4bb55a539cdc043f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24945104fc04a4953f05407e71df7533

SHA1
f20efff1d294ec306fa5b367ffc2b96c69c9fb1b

SHA256
13f3f502278dc178379e2720017ccd5d13d7fc11d253907795bcea7c30b160ac

SHA512
f24e37d054858b3a9a80f8981c6c841e0c3cbe7aef9eddfacc24c5ddf8d2d084bc1cb1c5dc99cbb79cdcad22dde4ecb4c602f0defa7202f732eb602886fe6b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\549a21ea-b32e-4eac-8aba-73b2515ae877.tmp

Filesize
5KB

MD5
fd67998686587c223f2518fcd900b0ea

SHA1
323a28fb5bdb9fc198a4ffdc33c6c7a5b8c6aca6

SHA256
87863f570c0193dff2e4f91c6946970f2014cb2d8d7c68e0dde269deed524fb6

SHA512
a628a54e5dcc17a7b31d89216795cef90cf71abcac8f7c80e3552c2b46ef5f692e2cc693c117db5bb542c8f1b3dd60d225f821dc44c16aa24fc057df8c5a820a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
48b98785b88b52ffdf9b5f223ca93970

SHA1
43577238f8a60d85da25efcab28c2490d0f16af6

SHA256
81871b338be7f416cf487a19143b33b7bc2fdb99ebc53424ae6ae1fbbf6d1aac

SHA512
3499524e00bcef3c8a97e0ccbb5c1cc5e36f777d96267f281050b17be2f5143f863f1faa6ad2cccd147f0631adad1e153982770dc7a251dd7c69219634f5d3d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
062ff8fc03d93538eff835135299fb59

SHA1
2ff8568a3fef82158535a09062398facf286ed61

SHA256
87bf2442b36b162574941f52d8520afb811ae519f3bae5f0532b86302c7584b4

SHA512
e1cb3b8f87cdb6e72b4e2d4be6e7dbf4fcd9f65239d4218d7551634734f0b94a82173e8be23a5cdf5d29152cfa605ef5dbce662e155b73c3fa829aa710c2f5df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
20b1361f5a36081a21170bac215be7be

SHA1
8b83441142b93a160b9839b63dff0fe76382d66c

SHA256
776a93a81dab247534bcafba77177077ed25b4486b76500647f6e15e59459443

SHA512
e22f11dcf20b232c07a6f0a58622cf932e6f265b05f737e12d31241a95086e4511e0da7dee22316044861615069898c16bbbd808ec06cdf5f47e97700010a830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
4780825320968d858d9d6ea3f50a5263

SHA1
9b92aee371820db10f179f14b7caa70300c812c5

SHA256
e8d91ec70c88c494d2353486da2b1a4ef7b0bf38c31143bbc4307baf0409cba1

SHA512
f777aebba789c90993ffaedda7086a1d4df6484621944e6a8b81af773af24425e578f7317cd3df99a303163ddf0cdd94186cd3e06e49de5e954fb1b84fe00460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
aa8d001e247d6798b5443383fbdfcdd4

SHA1
b9f02e37700edc5e41f3cd1dad0bf5f8044c8542

SHA256
45634ecb3f528dacc703b912826bf23dcab5068331c3056ee517aba41ecdeaad

SHA512
f18b2810e92d779156e5509c02ee178976f691d1598d96f3476e4c098b7c14b37f1036276ede0b582bca192841eee81e18928d8ee15edd94f960ef72e8b8e51b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
94aee45e0a6c7c506a00cb75d1f39a62

SHA1
e5d873fc58b14c8f6cc4b82641b5da176c2029fe

SHA256
0a46f30c6e2c7bdbea41acc50d76f4235106f970c5312d8252ef722b66a6d963

SHA512
1ccb44467a6faeb1b85d64e172e62d84a9e0d4786f17e44105c14a8370872afe0abe6d0784dd3dce455022c2857c77aa858ac0fd77d662490061c9b16049239e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7742e534eb855ca29a1affdb99ee4ee2

SHA1
121bda7646a2724b2a36baecb2a21db33c54df92

SHA256
caba99c8c768c7832442249541c0c0ce68fdd81f6a35dc9f90312470a8de0d2d

SHA512
d71c3a2d7f1f08477da1ab2d97602c96d025b7eff08dc77900f736ac96ac3a662a98206ebddcc761efe7b4aef420dc0e8ee8a2256af2c59eb870147995d156d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
44a8199850125f8f9e43a41f723a1832

SHA1
0805f7b1ee78ec4270a8cac2e44b981f4802cb56

SHA256
0c1769179223794b3df3a2fc731fbd98ec1f530390fdf36a8301fb319c6bd5bf

SHA512
42763604172fbd103d6e4541f282d3e1eaef3b1cf630e39b9c111cf5cd198eefe09c64588cb3825d649826ee2de270943e33d5738b4283cc8e9dacc3bc42b673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
215c6a69f349b30dca350f2c7dafb5ff

SHA1
893cde351ea8b809c228f9abc19c0c307da9b186

SHA256
3a19b37fedb90c0a36e872e1cf097583210c2386f310db449354c7d3bef55543

SHA512
34e5e6c0ad612757282594689e24385038132739610219b0b2cf7fc662d8d4c886afa5e97c61b19dec2e2759b0575106a664d1d794c7b1cc84c05b6151295073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
efe53ed2fbac405e3484c51003788872

SHA1
e034060a3c83fe9462bb42380a67a2517511b2d5

SHA256
5d6187e8d24d4d0f5e23dae53e9bfb00d0822af088f9178c837c298958da2f6e

SHA512
3e074e2ea67770af00143484993421444c1c100ee26360ec17ce9552a9c292d2d34016f999ddc4b256287cfc031c4a0068349a32d318b6ebf556ee444b82c49f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36eb83b758d40c84146a88b20ffa4684

SHA1
a2f8a1d03ea2a6a42fce508bc02125e7685b2744

SHA256
9260041cdaadeedf5f2bd289774718d4843bf9d7ff81b6e865fb294810f73346

SHA512
4c0f2de07a01703f20ceb38fe547429c3f7c32f82654e6dc453b44a33d0adc8f45a3fb9194219a4caedb6c7adfb0f4ec96c33ee6d41548854a41fe55a388af2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9ee1c469e81317694f40c989c1c4cd59

SHA1
992f5d4b26c9dc3db3f04f3880045b0b717cb775

SHA256
78ab4ab5ce83ad4df924d9e2ab6133226183d7128b3a464df1625440a63a78ff

SHA512
536af6f4940f0bb6e658a7a06e6dac3706b203f2a30dc9f2af0cd9bfc401e153debd2b960d3785d88ca31f74ec8211b0c6dcd671ada33d0ef9ea3432918a9101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a616b070dfdf597b5e064cc64ecad4e

SHA1
80689529d8c480b3e8133624d6c24092fbe0bbe7

SHA256
31106f9321f863e9e9d2478ee78ea419ccdea63254f96de42056ad0eb129a6ec

SHA512
2266309c1bfb23f2ad34434e01c18f73bf55b5f93d7e323727e0fe1209ee00ed32c9d3f1deb9f87bcdea6ffc829eccc5657850a37ae4a95d2dc45687b8e3a139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
b759f27a72def706de062449f084845b

SHA1
309a31a377fe13c43ab084de85815a828320eddd

SHA256
3b64b515785ccaa565de028dd3e29fb74aca9c2a5450ed5851401087dd7842e8

SHA512
a7c0aa39d5146cf6503596bac6e5ff5fc4fafa4b433c8342d5b6f65fcdac1a838168f823b9dacd54b12d3292d6cb11ee6164b312837af75572fa8e0c3d652f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d2bddbd9f9b4d8bc8a1c440e73c55c2e

SHA1
6b91d707c260bc4935fdfa422dee8af7615ad9da

SHA256
027cc4ffa7732a76de580144bbdba357ab1c66cc43749e1d4ec589410879d011

SHA512
8b642bd56ed6feba9d147abb69068e49567d93a0524e53d9169162c260b174dd80eefbf1efc3ddf3974785a1ec9332f8938fcbd2108ea312d08b6bfd14fdbe22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6f093ff85303f79aa366a38d4f454fb8

SHA1
ddbd8e61f257e7c5d080286fca6ad5370aa063c1

SHA256
a1f39b1e38e0e5fdbc47703121838c0cb179ec9408ad836bebdb9892a920fa3a

SHA512
b0d323bac08e28a9ff84755ae29b9c06d790b7c30c7d849827531e31cc60bd3797e65f9000272dffc9bd1b739764e0ebedc9b32c42e6cddb838865d13d8f19c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5819cc.TMP

Filesize
1KB

MD5
74ff79d66ed9c89f721fab3b105a0a5e

SHA1
cdbee0d33a9d6e2e1fb96dcb7a05aef0babeeb5d

SHA256
87f818057c57d7f152c86bc01bbebdcbd00fe58b68e6b5b370255db1d6920557

SHA512
17c936ea7326aa412b49a5e7338cf789185fbbb8af13a7990061bb6b651d0eee842a7ece3a5e2e43916d5051704ca4e1607f4f1da16f57e554588d00701c6552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
019a59dedbd23434e0c7b4a6dfcf69f2

SHA1
9506dde063ded9872c1407f2b62855a9c88b4458

SHA256
f2265f43ed4bf059256d72a3167207dcf2052ea566ae30776113e4f5a076657b

SHA512
10a247739ebbbf0da575f99a840bc5ae5aba648ed81828849ea0c1318651e5e296135719fceadfc64e883a800acda80df66271faa34dbb39e7e9d597d924b410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
12e5aa2d0516191a08bcde93a46cfeca

SHA1
148ca1398fb870ee3f4a111cecf290af1f2be0a0

SHA256
e525bc2dfc1f73be6979aa88b6d6ccd53516719a23faa2bb4279b082d141ef4c

SHA512
a901106cc2c2c3f4ba84e13d10fea57c3278ac5822d6d0aacb25fdf730080a5ed6125605d8811eb693df7c1cba1f3aec170aeee7220ed66443f5b88eed1b4039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa70d97fb07dcc736056fe3c2b77ccd7

SHA1
0b501ff192a73b269f6a6231d2a451b61b217acf

SHA256
497979542466a4eecd4d425d0d72ffb5db6aabfeaf8ee57be074928d75cb469d

SHA512
c9f11812f335ea0956ca04c578ad28cce715bebfd1515ad012f4fba76a39e915df78d162b6083941be7fac9a2ad61983545239b59b55fb7e5f76c533d875170b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b08c0c71fca23a4c560907a56fae477f

SHA1
c01d68d036373f730f8ad2d33fee4689ea29a640

SHA256
064137e7bb736bd04fdc7ebab835c72c77b39f1b2fe930cc186ce4bd1a39f857

SHA512
d367622fde0615c0a6746112dc52842c2c8840d4b523c834360867c1eef22511fb70e8d8836f77754d21c21f980d188aae67b3b2cc933daaa5b268490a31db43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
172631b4248af3d5c2b32d1c6177786c

SHA1
250481995f4b8d9a656983031a0842617b92bb72

SHA256
068050ff777df52b2f99637feee66983fa5bd3bd2d7b94b920d791db9bfa7234

SHA512
1fea9c47e10bb26d5ab0b8f1eb2c01a13596f31a6a23716a49bbca01480a432a81497e8bed25910a93c9279cbbbb3ef54f0b74486eda479af90e438d79c543e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\Downloads\Bloxstrap-v2.8.1.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 209881.crdownload

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
C:\Windows\Installer\MSIAA69.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIAAB9.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIB0C6.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/3996-1-0x000001DA4F740000-0x000001DA4F80E000-memory.dmp

Filesize
824KB

Download
memory/3996-2-0x00007FFE8EB80000-0x00007FFE8F642000-memory.dmp

Filesize
10.8MB

Download
memory/3996-0-0x00007FFE8EB83000-0x00007FFE8EB85000-memory.dmp

Filesize
8KB

Download
memory/3996-4-0x00007FFE8EB83000-0x00007FFE8EB85000-memory.dmp

Filesize
8KB

Download
memory/3996-5-0x000001DA6B450000-0x000001DA6B472000-memory.dmp

Filesize
136KB

Download
memory/3996-29-0x00007FFE8EB80000-0x00007FFE8F642000-memory.dmp

Filesize
10.8MB

Download
memory/4888-6396-0x00007FFEAFB50000-0x00007FFEAFB80000-memory.dmp

Filesize
192KB

Download
memory/4888-6442-0x00007FFEAD680000-0x00007FFEAD6A0000-memory.dmp

Filesize
128KB

Download
memory/4888-6415-0x00007FFEAD420000-0x00007FFEAD430000-memory.dmp

Filesize
64KB

Download
memory/4888-6420-0x00007FFEAD440000-0x00007FFEAD450000-memory.dmp

Filesize
64KB

Download
memory/4888-6419-0x00007FFEAD440000-0x00007FFEAD450000-memory.dmp

Filesize
64KB

Download
memory/4888-6418-0x00007FFEAD440000-0x00007FFEAD450000-memory.dmp

Filesize
64KB

Download
memory/4888-6417-0x00007FFEAD420000-0x00007FFEAD430000-memory.dmp

Filesize
64KB

Download
memory/4888-6416-0x00007FFEAD420000-0x00007FFEAD430000-memory.dmp

Filesize
64KB

Download
memory/4888-6412-0x00007FFEAD100000-0x00007FFEAD110000-memory.dmp

Filesize
64KB

Download
memory/4888-6414-0x00007FFEAD270000-0x00007FFEAD280000-memory.dmp

Filesize
64KB

Download
memory/4888-6413-0x00007FFEAD270000-0x00007FFEAD280000-memory.dmp

Filesize
64KB

Download
memory/4888-6411-0x00007FFEAD100000-0x00007FFEAD110000-memory.dmp

Filesize
64KB

Download
memory/4888-6423-0x00007FFEAE980000-0x00007FFEAE990000-memory.dmp

Filesize
64KB

Download
memory/4888-6429-0x00007FFEAE9C0000-0x00007FFEAE9CD000-memory.dmp

Filesize
52KB

Download
memory/4888-6436-0x00007FFEAEE30000-0x00007FFEAEE39000-memory.dmp

Filesize
36KB

Download
memory/4888-6435-0x00007FFEAEE30000-0x00007FFEAEE39000-memory.dmp

Filesize
36KB

Download
memory/4888-6445-0x00007FFEAD680000-0x00007FFEAD6A0000-memory.dmp

Filesize
128KB

Download
memory/4888-6454-0x00007FFEAFB50000-0x00007FFEAFB80000-memory.dmp

Filesize
192KB

Download
memory/4888-6453-0x00007FFEAFB50000-0x00007FFEAFB80000-memory.dmp

Filesize
192KB

Download
memory/4888-6452-0x00007FFEAF9D0000-0x00007FFEAF9D1000-memory.dmp

Filesize
4KB

Download
memory/4888-6451-0x00007FFEAD6B0000-0x00007FFEAD6D6000-memory.dmp

Filesize
152KB

Download
memory/4888-6450-0x00007FFEAD6B0000-0x00007FFEAD6D6000-memory.dmp

Filesize
152KB

Download
memory/4888-6449-0x00007FFEAD6B0000-0x00007FFEAD6D6000-memory.dmp

Filesize
152KB

Download
memory/4888-6448-0x00007FFEAD6B0000-0x00007FFEAD6D6000-memory.dmp

Filesize
152KB

Download
memory/4888-6447-0x00007FFEAD6B0000-0x00007FFEAD6D6000-memory.dmp

Filesize
152KB

Download
memory/4888-6446-0x00007FFEAD680000-0x00007FFEAD6A0000-memory.dmp

Filesize
128KB

Download
memory/4888-6444-0x00007FFEAD680000-0x00007FFEAD6A0000-memory.dmp

Filesize
128KB

Download
memory/4888-6440-0x00007FFEAD650000-0x00007FFEAD660000-memory.dmp

Filesize
64KB

Download
memory/4888-6439-0x00007FFEAD540000-0x00007FFEAD550000-memory.dmp

Filesize
64KB

Download
memory/4888-6438-0x00007FFEAD540000-0x00007FFEAD550000-memory.dmp

Filesize
64KB

Download
memory/4888-6443-0x00007FFEAD680000-0x00007FFEAD6A0000-memory.dmp

Filesize
128KB

Download
memory/4888-6392-0x00007FFEAF9E0000-0x00007FFEAF9F0000-memory.dmp

Filesize
64KB

Download
memory/4888-6441-0x00007FFEAD650000-0x00007FFEAD660000-memory.dmp

Filesize
64KB

Download
memory/4888-6437-0x00007FFEAEE30000-0x00007FFEAEE39000-memory.dmp

Filesize
36KB

Download
memory/4888-6433-0x00007FFEAEE30000-0x00007FFEAEE39000-memory.dmp

Filesize
36KB

Download
memory/4888-6434-0x00007FFEAEE30000-0x00007FFEAEE39000-memory.dmp

Filesize
36KB

Download
memory/4888-6432-0x00007FFEAEE10000-0x00007FFEAEE20000-memory.dmp

Filesize
64KB

Download
memory/4888-6430-0x00007FFEAEE10000-0x00007FFEAEE20000-memory.dmp

Filesize
64KB

Download
memory/4888-6428-0x00007FFEAE9C0000-0x00007FFEAE9CD000-memory.dmp

Filesize
52KB

Download
memory/4888-6427-0x00007FFEAE9C0000-0x00007FFEAE9CD000-memory.dmp

Filesize
52KB

Download
memory/4888-6426-0x00007FFEAE9C0000-0x00007FFEAE9CD000-memory.dmp

Filesize
52KB

Download
memory/4888-6425-0x00007FFEAE9C0000-0x00007FFEAE9CD000-memory.dmp

Filesize
52KB

Download
memory/4888-6431-0x00007FFEAEE10000-0x00007FFEAEE20000-memory.dmp

Filesize
64KB

Download
memory/4888-6422-0x00007FFEAE910000-0x00007FFEAE920000-memory.dmp

Filesize
64KB

Download
memory/4888-6421-0x00007FFEAE910000-0x00007FFEAE920000-memory.dmp

Filesize
64KB

Download
memory/4888-6424-0x00007FFEAE980000-0x00007FFEAE990000-memory.dmp

Filesize
64KB

Download
memory/4888-6393-0x00007FFEAFB00000-0x00007FFEAFB10000-memory.dmp

Filesize
64KB

Download
memory/4888-6394-0x00007FFEAFB00000-0x00007FFEAFB10000-memory.dmp

Filesize
64KB

Download
memory/4888-6397-0x00007FFEAFB50000-0x00007FFEAFB80000-memory.dmp

Filesize
192KB

Download
memory/4888-6401-0x00007FFEAEA10000-0x00007FFEAEA20000-memory.dmp

Filesize
64KB

Download
memory/4888-6402-0x00007FFEAEA10000-0x00007FFEAEA20000-memory.dmp

Filesize
64KB

Download
memory/4888-6403-0x00007FFEAEAA0000-0x00007FFEAEAB0000-memory.dmp

Filesize
64KB

Download
memory/4888-6404-0x00007FFEAEAA0000-0x00007FFEAEAB0000-memory.dmp

Filesize
64KB

Download
memory/4888-6405-0x00007FFEAEAC0000-0x00007FFEAEAE0000-memory.dmp

Filesize
128KB

Download
memory/4888-6406-0x00007FFEAEAC0000-0x00007FFEAEAE0000-memory.dmp

Filesize
128KB

Download
memory/4888-6407-0x00007FFEAEAC0000-0x00007FFEAEAE0000-memory.dmp

Filesize
128KB

Download
memory/4888-6408-0x00007FFEAEAC0000-0x00007FFEAEAE0000-memory.dmp

Filesize
128KB

Download
memory/4888-6409-0x00007FFEAEAC0000-0x00007FFEAEAE0000-memory.dmp

Filesize
128KB

Download
memory/4888-6410-0x00007FFEAEBB0000-0x00007FFEAEBBC000-memory.dmp

Filesize
48KB

Download
memory/4888-6398-0x00007FFEAFB50000-0x00007FFEAFB80000-memory.dmp

Filesize
192KB

Download
memory/4888-6399-0x00007FFEAFB50000-0x00007FFEAFB80000-memory.dmp

Filesize
192KB

Download
memory/4888-6400-0x00007FFEAFBE0000-0x00007FFEAFBE9000-memory.dmp

Filesize
36KB

Download
memory/4888-6395-0x00007FFEAFB50000-0x00007FFEAFB80000-memory.dmp

Filesize
192KB

Download
memory/4888-6391-0x00007FFEAF9E0000-0x00007FFEAF9F0000-memory.dmp

Filesize
64KB

Download