lumma | bb93e4bc5ddf3f9f17a81c826205a56e4b8d0d043ff270c10fec4ff2b88b41c2

Analysis

max time kernel
230s
max time network
235s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2025, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.html
Size

8KB
MD5

edc37d77532527d25325a22a5cbddaa3
SHA1

8f1fa111602b32f6b311fc72f3402f9e00abab5c
SHA256

bb93e4bc5ddf3f9f17a81c826205a56e4b8d0d043ff270c10fec4ff2b88b41c2
SHA512

01a5e151d67dec87473fe5941062d6d13baf46d61be6cba694a22d5d90b2241a03fafabf71b1153d0e22731d515cd8b9aaebe3ff08257937c4909a8671280898
SSDEEP

192:PN2x2BSQUHruljp5AG6Vb6rBlG3KOs3LBGcX9KHqyvAyGpHN:AxJQUHrull5Af8G3KOwLVXRCmpHN

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://uprootquincju.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 3 IoCs

pid	Process
3920	SoftWare(2).exe
512	SoftWare(2).exe
968	SoftWare(1).exe

Loads dropped DLL 2 IoCs

pid	Process
968	SoftWare(1).exe
968	SoftWare(1).exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3920 set thread context of 512	3920	SoftWare(2).exe	136
PID 968 set thread context of 448	968	SoftWare(1).exe	142
PID 968 set thread context of 1972	968	SoftWare(1).exe	143
PID 968 set thread context of 2324	968	SoftWare(1).exe	145
PID 968 set thread context of 1608	968	SoftWare(1).exe	147

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
668	3920	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftWare(2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftWare(2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
4496	msedge.exe
4496	msedge.exe
2084	identity_helper.exe
2084	identity_helper.exe
2932	msedge.exe
2932	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
512	SoftWare(2).exe
512	SoftWare(2).exe
512	SoftWare(2).exe
512	SoftWare(2).exe
448	ngen.exe
448	ngen.exe
448	ngen.exe
448	ngen.exe
1972	ngen.exe
1972	ngen.exe
1972	ngen.exe
1972	ngen.exe
2324	ngen.exe
2324	ngen.exe
2324	ngen.exe
2324	ngen.exe
1608	ngen.exe
1608	ngen.exe
1608	ngen.exe
1608	ngen.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5072	7zG.exe
Token: 35	5072	7zG.exe
Token: SeSecurityPrivilege	5072	7zG.exe
Token: SeSecurityPrivilege	5072	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3648	4496	msedge.exe	85
PID 4496 wrote to memory of 3648	4496	msedge.exe	85
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2244	4496	msedge.exe	86
PID 4496 wrote to memory of 2284	4496	msedge.exe	87
PID 4496 wrote to memory of 2284	4496	msedge.exe	87
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88
PID 4496 wrote to memory of 4464	4496	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8601846f8,0x7ff860184708,0x7ff860184718
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9763075412705969767,12019417644972400317,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4016

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ROBLOX Cheat\" -spe -an -ai#7zMap316:86:7zEvent30586
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare(2).exe
"C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare(2).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3920
- C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare(2).exe
  "C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare(2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 792
  2⤵
  - Program crash
  PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3920 -ip 3920
1⤵
PID:2884

C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare(1).exe
"C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare(1).exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2a9bdf9c-ad2a-4bd2-b124-f094c4c992fc.tmp

Filesize
11KB

MD5
9c4545eda84ba5b81ac40df06b201913

SHA1
f86acc80a53fa59d0c9bccb01a0072726ce917c1

SHA256
e1ed70b1b695885a0130c3a44f3177a4f0f316907445e4f573f9afda051947d9

SHA512
d5200f526a53e8851d8dc4af590f5f40f36c408e7683c6ae96ace72c29e432ee985bdd3c14d24d6565d0d9b25c18e4eb94a5b5772cb105fa6652a81f2bd9d654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5da507c2059b715761792e7106405f0

SHA1
a277fd608467c5a666cf4a4a3e16823b93c6777f

SHA256
8c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8

SHA512
01c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3c6e13dc1762aa873320bed152204f3c

SHA1
38df427d38ca5ce6ce203490a9fb8461c7444e12

SHA256
5c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371

SHA512
133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
215KB

MD5
0e9976cf5978c4cad671b37d68b935ef

SHA1
9f38e9786fbab41e6f34c2dcc041462eb11eccbc

SHA256
5e8e21f87c0a104d48abc589812e6f4e48655cabe4356cda9e3c1ceee0acaa4e

SHA512
2faa6fff6b47e20fd307a206827dc7ff4892fce8b55b59b53d3e45b7dcf5fd34cebc4776b63da5aa4d0e0408344bd4602d26d09e7a456dd286e93b768cbfaa51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9c1ecd712502cd3881805817ae077a24

SHA1
ef8e1949520275a29e722c7115383c892bb1f679

SHA256
2f738ef926b6b25cb97e18f1f8248ea4bd3d669b635416eb0abdda90d1d3c620

SHA512
339435c2dc089b45eecc0a38c42076c356e12a04208c98d194b6987f2ad86db884021e7293801ea1f42395a64e0a600bbac91b9e2b53b7172a98de26ed677504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
10a9ece0fa936b0b03ef87a2078ece32

SHA1
1faa00072e13cddc9f3d1732b05775665214a308

SHA256
4e1cda28968f8e4b2cbf2ee86144625b1b7740811f3010469791e2ab4dcc9fb5

SHA512
549f8da37c25dd58fe56e8d44e6133029c0d897b68f18414ff077aa0cb943466525401aa45c3e82871847119f83a52a74f8013739e265794e3f2a649831a8b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7933d5094253fe89ebf4085f063daf2e

SHA1
1cdf6f84006eb26ea8e70ee34a0e8e75f327b9a6

SHA256
09326342af4a317a9e647012b4a9a63df406f2a7c128cacb2acf908ba9562241

SHA512
9315a5371e4b761dcd704a9826fb66d3e571633bef68f2bb1d54a85859c06c5dbae9296b2bf658d15bdd3cac006492bcff016df58f5a4a8722b83ce02f10d552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f8b6acaf13083c5c0058d7694d1dcd94

SHA1
2ba2f677a078b64697c72c932ea8d1388aba6cf2

SHA256
81004c55cb9fccc0881201ab9c1487c7c8ccc278c6746a23192e9ff2a6773420

SHA512
c52ffe8ea5ecac756c474ecb3865335eb542dfc50ec058c5f6719593ca0c516cd2f7ca0ec3cf7d534f4b079337574fcaa4f5967878a080766e2b563969a51a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
92a634f3633d88cf861d30bd9e6a3c9d

SHA1
1eddab61e0e0b1c00077d60ec95cf5ab5445b526

SHA256
ba9b8b755418ce91f640c0253c265050bdadf7dcab09babc03ac6eb662e8a05e

SHA512
7943b6dc7f5f6a94f4ac3d5bfcdaee41f693a03e822d9c10db52358e370cc4b581e6b39c99c07280041e87e764a197420bd8d47bf6035dd8077963c61d1b13c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
72903f41da1b5e649359b9f97c2dc64d

SHA1
044f934370cacd3ef5fbb70835ed6d427ea77b9c

SHA256
608e943961ebdf7f8536c6c70da4227cd2bae1ba062059f65cfdb137f486160a

SHA512
cc4eed5556db5bb02d6f995de3e53e4c9ccfab82fb2f6e505d84057d63cc992095a18b31dfcef8ac3f1a5cd3326e632213e927c25a5e8f4d1b0ab45d778aeac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85ad4b27217517b585b2752abb160846

SHA1
7b37abe4063d54f28ca46d2efcb932171061854d

SHA256
b57d0556cc98f4441d7e8d1642cc767c73e09f816089282487123ed629398bea

SHA512
94260e719c968b03c43b61434b53e45830891c15fa1834b4f99d883982f4c5dfba6cdbaeea120162f5244de463929e9df30941d2c1f2b775fdda83adf1853137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a00dd35c7a4424a7d821aecfab3db655

SHA1
6729a7bceded30d43f0d923ec6d220ca10f17d5e

SHA256
1fbe4c19079b0cf1b4b1474c86c48e52fed2222cb975ec615343a6fff5f38072

SHA512
59cbf17dda198bfac70e1c01441c729f1fae6d9b49de72b5a14310af24224b65ec158fb91c228158a8aa77c1975fc19e8ae2d5692a4850a8f2da2826b8d73172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94f02c81166d910ac6a39f89919ed628

SHA1
0929f31c78cb89528907aeee81883a007180604e

SHA256
8b81a74f12a07f5c6f5677821e0c56e431996c0fd9993074ada96561ddee054a

SHA512
c9a53e8f5900306eb44b248329cc2556fcb3c44d7d8e7fe20490d5e32c3fc046041f05ec0f35dcbd855612a317d8f6debb96fda7b7bb81b1a2283ba1cdbcc16b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4dda15588f5d661bfa174a29d3e06cae

SHA1
f70831509624ddea6cc1de3d41d369382a90b178

SHA256
2ea612c5ff0fdcf2d9799d4dd7e7f202cb8957875dcd286b7dda3d9bf333c34f

SHA512
e3ffa45c7220258545cd64475c4c35b17f2c4e6355babcf69857f2c80695e32f9fc0c3b30a93f397baea8af11b183cc799ed535820344ba2f010c8cfeb1403ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec6ea4fc240c501ab1fee39ee768d7fd

SHA1
1a75be35ddb95825daaf3afe4da8311d68b60fc9

SHA256
707e1d02061730a3526cda515d03776728ce630b8cb8b1e6ce77bee4a5bb2fee

SHA512
1e1dd79b0bd7f5d35db2227e18578a2388a8e04646cc3161a6d7c95e68c187b423a3f75bf0ecdd424c8b92d1937acf861186cd6a94f54b05dc95704431bc223a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7bbdbcb46ea0b83d52056722f8f10237

SHA1
24133dd1f0f57a185d86311bc3bbcc0a47a78d62

SHA256
fa12de9cacd91a25ef684710b1d4d66457dafa6b0502450c624eea8d5af1599e

SHA512
2aebd151b4895d77e97ba26bbcdc4a5f462e7e6c2dea9e25f6347fe31febecce404a0e22b9c5c8706da5d3ba7667d275c363ec0ea44790714d50463250455d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
baa1a76809a7d9831b7331cddbb58fc8

SHA1
75c48578e7b8b3471be1aca01fe3bb87fb105761

SHA256
8a5c645360aba20b649ae4527c31d281d4d820218780e9d983964d144672d03d

SHA512
faa393a4f210e1490657e639c138837ba517d0f607b06f17de69cfd16d716dfc604baddb59c4bee4f275ab3ab6197486d5ede036767d18204061e92802f16d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5958d4.TMP

Filesize
1KB

MD5
8de8762a572384d53d74afbc8b896698

SHA1
5dfc19071bb1105c5b1857d58dd11dd9c397281b

SHA256
67b80f0a5bbd5c4c1500d16c3ef290cc7909abf19233397dc6698da5b2cdb83c

SHA512
21009b2415c3f4021c337b816eb90d66c6bb49bb480155fa1e7c6c00dde8aac0bbe8db1b9a44cf6914438c071dbc0a6218ce28b145207ed9fcce3df2cc5728e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
be4af97656c8ad48337a0e73f92c6d12

SHA1
5158bbe8f110792115932ec2e818b3fcf053f10c

SHA256
f8281eda0a161e6fa78a4c0e1da86e410d00ee76c57a9c9b041445f879dac48a

SHA512
6155e8079e01de54aedc9ca624ab55953cd0fcafd87cb3abd5b26ce31feac4443f419969dc1a0d51759cf1f22c6e836464e87a0e03ded087fff89b062e24dfea

Download Submit
C:\Users\Admin\Downloads\ROBLOX Cheat.zip

Filesize
15.7MB

MD5
2116e9c732f938782923247762408539

SHA1
eaa8eda595406bdd4a6cae8528ee69aced16d3bc

SHA256
f86b97ac60afcb4b18961a872abb6069a1b0d6d13a176a32e8d340d4961dde81

SHA512
061a68897575c4fc3133fe1868b4a4f5d446f6d97165ca2c7901f5cb5acb82feba154bd7e6076f29c6bfaa7a30c5aa4b692a7c85512da2e4e515987e1652ae49

Download Submit
C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare(1).exe

Filesize
633KB

MD5
a3d33d33f8b10595c252ee8e61a8892c

SHA1
f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

SHA256
fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

SHA512
5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

Download Submit
C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare(2).exe

Filesize
688KB

MD5
34d31426b3e9ab9ee6be8f483f3dca21

SHA1
d47c1d75a3288b34f470ee91792258b6111ef043

SHA256
84f1da624d1de4bc49a0a64e709fa40c077731a9ed017458d3c177af772671e6

SHA512
7516d8b8dcb2a4d09544d156ff98fb9f502d321f9f91e324d5d41a6a325d86d134105b13131acd1515ae304d4ae390a25d1c0d437ee8e292a6e6efdecd9cda93

Download Submit
C:\Users\Admin\Downloads\ROBLOX Cheat\tier0_s64.dll

Filesize
410KB

MD5
328655e0f2611479a90db044ab130373

SHA1
d678fd28927f05bde277bc3dc5fc51e2b4dce8b8

SHA256
586a9c2a27e906a54182166ec63a02bb6a28eb4e2e7e53a799db928b76fd036d

SHA512
8849dbfa9406c94b9750a6771ba391be95d8b41c53f19f446be92f4f22633975aa7d11b999e9f25b93bc682173ad6e4993486a2ec51c7475046db8daf9b1ebc2

Download Submit
C:\Users\Admin\Downloads\ROBLOX Cheat\vstdlib_s64.dll

Filesize
4.1MB

MD5
4fc1435376b3e8c071dd611b54039feb

SHA1
73721daddca91e82fd111a06b4a8952422820af3

SHA256
5404ecc836fee4b6a3fed0d52a78472ed68d5c6972a0652e51bed3dc309c65fa

SHA512
223ec67ec5a51c2f7b2e9701087a358a4d1f2c4b3a525bb94a901abc00deadd436ede927ddcbbafe27e8833c8869459864fe58be13e96d86ddf3df70d62e447f

Download Submit
memory/448-615-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/448-616-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/512-605-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/512-607-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-602-0x0000000000CF0000-0x0000000000DA4000-memory.dmp

Filesize
720KB

Download
memory/3920-603-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download