hxxps://cdn[.]discordapp[.]com/attachments/1008874207028981800/1053914756156755989/SeerX[.]exe

Resubmissions

18/12/2022, 07:46

221218-jlyaxsba38 10

18/12/2022, 07:40

221218-jhzdtadh5w 8

Analysis

max time kernel
206s
max time network
623s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2022, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1008874207028981800/1053914756156755989/SeerX.exe

Score

10^/10

discovery evasion spyware stealer trojan upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4608 created 2600	4608	RobloxPlayerBeta.exe	54

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
3844	RobloxPlayerLauncher.exe
1300	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
4780	RobloxPlayerLauncher.exe
1924	RobloxPlayerLauncher.exe
4876	RobloxPlayerLauncher.exe
4608	RobloxPlayerBeta.exe
3672	RobloxPlayerBeta.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4856-169-0x00007FFA1EC30000-0x00007FFA1F094000-memory.dmp	upx
behavioral1/memory/4856-170-0x00007FFA3A840000-0x00007FFA3A864000-memory.dmp	upx
behavioral1/memory/4856-171-0x00007FFA3A7C0000-0x00007FFA3A7CF000-memory.dmp	upx
behavioral1/memory/4856-172-0x00007FFA3A7B0000-0x00007FFA3A7BD000-memory.dmp	upx
behavioral1/memory/4856-173-0x00007FFA332C0000-0x00007FFA332D8000-memory.dmp	upx
behavioral1/memory/4856-174-0x00007FFA32DA0000-0x00007FFA32DCC000-memory.dmp	upx
behavioral1/memory/4856-175-0x00007FFA251E0000-0x00007FFA25215000-memory.dmp	upx
behavioral1/memory/4856-176-0x00007FFA24570000-0x00007FFA2459F000-memory.dmp	upx
behavioral1/memory/4856-177-0x00007FFA21CE0000-0x00007FFA21DA1000-memory.dmp	upx
behavioral1/memory/4856-178-0x00007FFA32B60000-0x00007FFA32B7C000-memory.dmp	upx
behavioral1/memory/4856-179-0x00007FFA3A2F0000-0x00007FFA3A309000-memory.dmp	upx
behavioral1/memory/4856-181-0x00007FFA3A740000-0x00007FFA3A74D000-memory.dmp	upx
behavioral1/memory/4856-183-0x00007FFA3A2E0000-0x00007FFA3A2EA000-memory.dmp	upx
behavioral1/memory/4856-182-0x00007FFA24970000-0x00007FFA2499C000-memory.dmp	upx
behavioral1/memory/4856-184-0x00007FFA24230000-0x00007FFA2425E000-memory.dmp	upx
behavioral1/memory/4856-185-0x00007FFA1E8B0000-0x00007FFA1EC27000-memory.dmp	upx
behavioral1/memory/4856-186-0x00007FFA20140000-0x00007FFA201F7000-memory.dmp	upx
behavioral1/memory/4856-187-0x00007FFA29EC0000-0x00007FFA29ED5000-memory.dmp	upx
behavioral1/memory/4856-188-0x00007FFA20020000-0x00007FFA20138000-memory.dmp	upx
behavioral1/memory/4856-189-0x00007FFA251C0000-0x00007FFA251DE000-memory.dmp	upx
behavioral1/memory/4856-190-0x00007FFA1F5F0000-0x00007FFA1F761000-memory.dmp	upx
behavioral1/memory/4856-191-0x00007FFA23AE0000-0x00007FFA23B19000-memory.dmp	upx
behavioral1/memory/4856-192-0x00007FFA389C0000-0x00007FFA389CB000-memory.dmp	upx
behavioral1/memory/4856-193-0x00007FFA337D0000-0x00007FFA337DB000-memory.dmp	upx
behavioral1/memory/4856-194-0x00007FFA33160000-0x00007FFA3316C000-memory.dmp	upx
behavioral1/memory/4856-195-0x00007FFA33140000-0x00007FFA3314B000-memory.dmp	upx
behavioral1/memory/4856-196-0x00007FFA2C960000-0x00007FFA2C96C000-memory.dmp	upx
behavioral1/memory/4856-199-0x00007FFA24210000-0x00007FFA2421D000-memory.dmp	upx
behavioral1/memory/4856-200-0x00007FFA23FC0000-0x00007FFA23FCE000-memory.dmp	upx
behavioral1/memory/4856-201-0x00007FFA22090000-0x00007FFA2209C000-memory.dmp	upx
behavioral1/memory/4856-202-0x00007FFA21CD0000-0x00007FFA21CDC000-memory.dmp	upx
behavioral1/memory/4856-203-0x00007FFA21CC0000-0x00007FFA21CCB000-memory.dmp	upx
behavioral1/memory/4856-205-0x00007FFA21CA0000-0x00007FFA21CAC000-memory.dmp	upx
behavioral1/memory/4856-206-0x00007FFA21C90000-0x00007FFA21C9C000-memory.dmp	upx
behavioral1/memory/4856-207-0x00007FFA21C80000-0x00007FFA21C8D000-memory.dmp	upx
behavioral1/memory/4856-208-0x00007FFA21C60000-0x00007FFA21C72000-memory.dmp	upx
behavioral1/memory/4856-209-0x00007FFA21C50000-0x00007FFA21C5C000-memory.dmp	upx
behavioral1/memory/4856-204-0x00007FFA21CB0000-0x00007FFA21CBB000-memory.dmp	upx
behavioral1/memory/4856-210-0x00007FFA21660000-0x00007FFA21674000-memory.dmp	upx
behavioral1/memory/4856-211-0x00007FFA21630000-0x00007FFA21644000-memory.dmp	upx
behavioral1/memory/4856-212-0x00007FFA21610000-0x00007FFA2162B000-memory.dmp	upx
behavioral1/memory/4856-198-0x00007FFA24220000-0x00007FFA2422C000-memory.dmp	upx
behavioral1/memory/4856-213-0x00007FFA20660000-0x00007FFA20675000-memory.dmp	upx
behavioral1/memory/4856-214-0x00007FFA203B0000-0x00007FFA203EF000-memory.dmp	upx
behavioral1/memory/4856-215-0x00007FFA1F5D0000-0x00007FFA1F5E6000-memory.dmp	upx
behavioral1/memory/4856-197-0x00007FFA2A250000-0x00007FFA2A25B000-memory.dmp	upx
behavioral1/memory/4856-217-0x00007FFA21650000-0x00007FFA21660000-memory.dmp	upx
behavioral1/memory/4856-218-0x00007FFA20680000-0x00007FFA20693000-memory.dmp	upx
behavioral1/memory/4856-219-0x00007FFA21600000-0x00007FFA2160E000-memory.dmp	upx
behavioral1/memory/4856-220-0x00007FFA1F5A0000-0x00007FFA1F5CB000-memory.dmp	upx
behavioral1/memory/4856-221-0x00007FFA1E660000-0x00007FFA1E8AE000-memory.dmp	upx
behavioral1/memory/4856-223-0x00007FFA1EC30000-0x00007FFA1F094000-memory.dmp	upx
behavioral1/memory/4856-224-0x00007FFA3A840000-0x00007FFA3A864000-memory.dmp	upx
behavioral1/memory/4856-225-0x00007FFA21650000-0x00007FFA21660000-memory.dmp	upx
behavioral1/memory/4856-226-0x00007FFA3A740000-0x00007FFA3A74D000-memory.dmp	upx
behavioral1/memory/4856-227-0x00007FFA24970000-0x00007FFA2499C000-memory.dmp	upx
behavioral1/memory/4856-230-0x00007FFA21CE0000-0x00007FFA21DA1000-memory.dmp	upx
behavioral1/memory/4856-231-0x00007FFA24570000-0x00007FFA2459F000-memory.dmp	upx
behavioral1/memory/4856-232-0x00007FFA21CE0000-0x00007FFA21DA1000-memory.dmp	upx
behavioral1/memory/4856-229-0x00007FFA3A7B0000-0x00007FFA3A7BD000-memory.dmp	upx
behavioral1/memory/4856-233-0x00007FFA332C0000-0x00007FFA332D8000-memory.dmp	upx
behavioral1/memory/4856-234-0x00007FFA32DA0000-0x00007FFA32DCC000-memory.dmp	upx
behavioral1/memory/4856-228-0x00007FFA24570000-0x00007FFA2459F000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	RobloxPlayerBeta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
429	api.ipify.org
430	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4608 set thread context of 3672	4608	RobloxPlayerBeta.exe	170

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\image_keyframe_bounce_unselected.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Settings\LeaveGame\selectorWithIcon.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Pill\LargePill.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\eventMarker_inner.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\PrettyFormat-edcba0e9-2.4.1\ChalkLua.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\SchedulerWithReactIntegration.new.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxContacts\NetworkingContacts.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Cryo\Cryo\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestConfig\JestConfig\normalize.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\Shared-9c8468d8-8a7220fd\Shared\consoleWithStackDev.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VerifiedBadges\VerifiedBadges\Components\EmojiWrapper.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\mtrl_glacier_2022.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\GameProtocol.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioPlayerEmulator\player_emulator_32.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\icon_picker_disable.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\icon_regions_move.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestRunner\JestEnvironment.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxSquads\enumerate.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\PrettyFormat-edcba0e9-2.4.1\PrettyFormat\plugins\AsymmetricMatcher.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\RoduxFriends\roduxFriendsTypes.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxPresence\RoduxPresence\Actions\ReceivedUserPresence.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\MaterialManager\Favorite-Filled-Alt.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-0195bf64-20bb1a25\ExperienceChat\mountClientApp\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestSnapshot-edcba0e9-2.4.1\JestSnapshot\State.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestTestResult-edcba0e9-3.1.1\JestTestResult\helpers.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.4.2\LuauPolyfill\Array\find.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\SocialPanel\SocialPanelHeader\withUnreadChat.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\PurchasePromptDeps\IAPExperience.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\roblox_lumberyak-5fead8c7-0.1.1\lumberyak\example\page\pageLogger.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxNetworking-fe052a05-3.0.2\Promise.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\tutils-aa9a0351-0.1.2\tutils\toString.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\VirtualizedList\VirtualizedList\Lists\VirtualizedList.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\avatar\compositing\CompositTShirt.mesh	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\clb_robux_20.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\CollisionMatchers2D.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\PermissionsProtocol\MessageBus.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TagEditor\Visibility.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\execution\__tests__\resolve.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\NetworkingUsers\NetworkingUsers\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\fonts\families\PermanentMarker.json	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Controls\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-2.4.1\JestUtil\tryRealpath.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\UIBlox\GetFFlagUIBloxEnableMediaGalleryUpdate.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\NetworkingCurrentlyWearing\DebugUtils.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Common\Style\ColorSystem\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppLocales\RobloxAppLocales\Locales\de-de.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioToolbox\script.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\PlatformContent\pc\textures\woodplanks\reflection.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-b531e02e-6a8b665b\ExperienceChat\BubbleChat\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestDiff-edcba0e9-2.4.1\ChalkLua.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VR\Radial\Icons\2DUI.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestDiff-edcba0e9-2.4.1\JestDiff\JoinAlignedDiffs.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\UrlBuilder\UrlBuilder\encodeURIComponent.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\tutils-aa9a0351-0.1.2\tutils\deepCopy.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\InGameMenuDependencies\InGameMenuDependencies\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\particles\explosion01_smoke_main.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioSharedUI\avatarMask.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-0195bf64-20bb1a25\ExperienceChat\Commands\getPlayersFromString.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestConfig\JestConfig\validatePattern.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-3.1.1\JestUtil\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\GetFFlagHideTopbarWebviewItemsForVR.lua	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
836	4308	WerFault.exe	82

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7B4A3715-300D-4AD7-9922-265E83A62111}	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{242F1641-00F0-434A-91EE-20C5CABE11D3}	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{242F1641-00F0-434A-91EE-20C5CABE11D3}\AppName = "RobloxPlayerBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6E400BEA-5A65-4571-860A-D127F0F6AF48}	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6E400BEA-5A65-4571-860A-D127F0F6AF48}\AppName = "RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6E400BEA-5A65-4571-860A-D127F0F6AF48}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	RobloxPlayerBeta.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{242F1641-00F0-434A-91EE-20C5CABE11D3}\Policy = "3"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7B4A3715-300D-4AD7-9922-265E83A62111}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{242F1641-00F0-434A-91EE-20C5CABE11D3}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\RobloxPlayerBeta.exe = "11000"	RobloxPlayerBeta.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6E400BEA-5A65-4571-860A-D127F0F6AF48}\Policy = "3"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7B4A3715-300D-4AD7-9922-265E83A62111}\AppName = "RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7B4A3715-300D-4AD7-9922-265E83A62111}\Policy = "3"	RobloxPlayerLauncher.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "1"	svchost.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	chrome.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe
4160	chrome.exe
4160	chrome.exe
4628	chrome.exe
4628	chrome.exe
2816	chrome.exe
2816	chrome.exe
3412	chrome.exe
3412	chrome.exe
3972	chrome.exe
3972	chrome.exe
3100	chrome.exe
3100	chrome.exe
4520	chrome.exe
4520	chrome.exe
4608	chrome.exe
4608	chrome.exe
4264	chrome.exe
4264	chrome.exe
4592	chrome.exe
4592	chrome.exe
3844	RobloxPlayerLauncher.exe
3844	RobloxPlayerLauncher.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
3144	chrome.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1756	RobloxPlayerLauncher.exe
1448	chrome.exe
1448	chrome.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4608	RobloxPlayerBeta.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3860	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3860	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4608	RobloxPlayerBeta.exe
4608	RobloxPlayerBeta.exe
4188	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 4200	4160	chrome.exe	81
PID 4160 wrote to memory of 4200	4160	chrome.exe	81
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2300	4160	chrome.exe	85
PID 4160 wrote to memory of 2308	4160	chrome.exe	86
PID 4160 wrote to memory of 2308	4160	chrome.exe	86
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87
PID 4160 wrote to memory of 1496	4160	chrome.exe	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://cdn.discordapp.com/attachments/1008874207028981800/1053914756156755989/SeerX.exe
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa24554f50,0x7ffa24554f60,0x7ffa24554f70
    3⤵
    PID:4200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
    3⤵
    PID:2300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
    3⤵
    PID:1496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
    3⤵
    PID:1116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:8
    3⤵
    PID:4012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 /prefetch:8
    3⤵
    PID:4076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5068 /prefetch:8
    3⤵
    PID:1012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:4740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5136 /prefetch:8
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
    3⤵
    PID:4104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:8
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
    3⤵
    PID:1996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:8
    3⤵
    PID:1132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:8
    3⤵
    PID:4304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5628 /prefetch:8
    3⤵
    PID:3224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5540 /prefetch:8
    3⤵
    PID:1300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6236 /prefetch:8
    3⤵
    PID:4564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6136 /prefetch:8
    3⤵
    PID:3460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:8
    3⤵
    PID:2664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
    3⤵
    PID:4652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:2792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
    3⤵
    PID:3640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3036 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:2684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
    3⤵
    PID:2768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7160 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5024 /prefetch:8
    3⤵
    PID:2020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
    3⤵
    PID:616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
    3⤵
    PID:4864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3044 /prefetch:8
    3⤵
    PID:1092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2556 /prefetch:8
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5772 /prefetch:8
    3⤵
    PID:668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3084 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3044 /prefetch:8
    3⤵
    PID:3716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1020 /prefetch:8
    3⤵
    PID:4060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4592
- - C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
    "C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Checks whether UAC is enabled
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3844
  - - C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
      C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=ZFlag --annotation=RobloxGitHash=142432bbee131ec1e680ff4280b83f65c7d4b91b --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7fc,0x7f8,0x79c,0x6c8,0x7ec,0x6a0af4,0x6a0b04,0x6a0b14
      4⤵
      Executes dropped EXE
      PID:1300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
    3⤵
    PID:960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    PID:664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6900 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3144
- - C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
    "C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1756
  - - C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
      C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=zflag --annotation=RobloxGitHash=142432bbee131ec1e680ff4280b83f65c7d4b91b --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x6f4,0x6e8,0x710,0x694,0x71c,0x6a0af4,0x6a0b04,0x6a0b14
      4⤵
      Executes dropped EXE
      PID:4780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5124 /prefetch:8
    3⤵
    PID:1732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1100 /prefetch:8
    3⤵
    PID:4188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:4576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,4992559164282434589,14643570998191346383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1448
- - C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerLauncher.exe
    "C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerLauncher.exe" roblox-player:1+launchmode:play+gameinfo:Yqdciy9OwNu4egct-Vnod44UWWmvx7fOWbS8iKTt701Y4ga2fXygyun73BRTAIslpSuvd6cjnEufazmgPuO4SsPTcwp4csv0jyyfCHQQ9jkjbD5y02rL3UZolA09Jiy3F7pT5zirOAuZiV_ndsqn9jCCpgDgmwTYZ9wAA3S8wySKLrhWA0hC-rsY-FQ79I0aHKI2ei-FXYrExuq-BvTCcK3IeM22NOUeL5y68MXjHN8+launchtime:1671353364105+placelauncherurl:https%3A%2F%2Fassetgame.roblox.com%2Fgame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D156894660095%26placeId%3D379614936%26isPlayTogetherGame%3Dfalse+browsertrackerid:156894660095+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Checks whether UAC is enabled
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1924
  - - C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerLauncher.exe
      "C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerLauncher.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=142432bbee131ec1e680ff4280b83f65c7d4b91b --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x718,0x71c,0x720,0x698,0x740,0x1360af4,0x1360b04,0x1360b14
      4⤵
      Executes dropped EXE
      PID:4876
  - - C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerBeta.exe
      "C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerBeta.exe" --app -t Yqdciy9OwNu4egct-Vnod44UWWmvx7fOWbS8iKTt701Y4ga2fXygyun73BRTAIslpSuvd6cjnEufazmgPuO4SsPTcwp4csv0jyyfCHQQ9jkjbD5y02rL3UZolA09Jiy3F7pT5zirOAuZiV_ndsqn9jCCpgDgmwTYZ9wAA3S8wySKLrhWA0hC-rsY-FQ79I0aHKI2ei-FXYrExuq-BvTCcK3IeM22NOUeL5y68MXjHN8 -j https://assetgame.roblox.com/game/PlaceLauncher.ashx?request=RequestGame&browserTrackerId=156894660095&placeId=379614936&isPlayTogetherGame=false -b 156894660095 --launchtime=1671353364105 --rloc en_us --gloc en_us
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4608
- C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerBeta.exe
  \??\C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerBeta.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Users\Admin\Downloads\SeerX.exe
  "C:\Users\Admin\Downloads\SeerX.exe"
  2⤵
  PID:2744
- - C:\Users\Admin\Downloads\SeerX.exe
    "C:\Users\Admin\Downloads\SeerX.exe"
    3⤵
    PID:4856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:3896
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:3308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4308 -ip 4308
1⤵
PID:1916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4308 -s 1756
1⤵
- Program crash
PID:836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:3076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
PID:3500

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:4124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:3924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
PID:4360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
0c5cb44375fe9399bd90073d99ccafa7

SHA1
5dd5589bf8a1f4af05c142802ae452fb6a9a4b1c

SHA256
d29d54c7c825f9ddb3b06b4547c50f331024771aa24322c912ab14b188e24a97

SHA512
8a02cbdc747b8e6cf213c5b80bd5f9461d8d038a4954f8cc57f39d4b97f0846302722de91b4de6907c7ec13c5a8b521ae45d752302aee20d421b8e27de8b7935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
cdba8607a89e930e25d06ff05be29e1c

SHA1
8db08e67c4dd75a25cadc22416b6902824d2a30e

SHA256
c3f8543863921f52d6a146519f523dd9bfad662f08fc9a7cb6b2c0b5dfd212b9

SHA512
87062879c1913d2c9211a72c7b62b3b6c59166eb93047e032f785f7c703fbd75ad545eda1910a78238e75b5dab93f738ebe78b6560e340b73db884e994176a12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
63df9444fa771935d171452cbd4e1965

SHA1
ac428261968b784583ea300a36af5eec40151d9e

SHA256
0689fc89c941978132c51c3734bbea2a2d164a3a8a29bcca3b91e10937c576bd

SHA512
da21fb75f9c07284339c7e185367d16d289d17f2d39b81213c46450202c255028f110030a7d155ba49593427feb96590df0ab647d7b1fc0e4af1ee60eec00a9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
d58465f25cff2f7d3c3d9f19188fc535

SHA1
dba6704f12993cbeed5e58a89a19b50ff4d91208

SHA256
2219fea2e7b56d945f0a6a06952529eed980c6674ddf0bee34f1f4138c6e6da4

SHA512
0ce5353ffde4b61bece5faea6e9096c4fd33e6a3dffab582e23985ffba168010de0ca272af37a6d62335c18cc66b524be5c06f8d8429a905ca94a94ce2b13cde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
23536f6983bbd031d5d9b0cd90cdb3c2

SHA1
b04983bfa82688c5e26086a8e87015bb8751efa1

SHA256
a1a20f9b04ca011f2a0a43bd92a0d76e590d26e08cdf973f6a33ec5e80297b6d

SHA512
e8544ee8ff4cda61b80a098fa87ccadaf579fd4236034ae19277cf301e76097331feee6c345e51d22185586b91d824ad3a58219644a844890930534e8746180c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
a8d5072c7f1fb414d5d869b3b6e51fb7

SHA1
8f6c1e67e4b7b6293b9fddd92c65a24709938a08

SHA256
77477fda08e0b5009536378d1f8dce17963d6787a4c225b78ac646e7067bc785

SHA512
e2a2dcb77e5134a43e2bcf586b6ea2d11acf3c7c35c9c30cfae7eed9c923abffd0b23e31e50e2ff7278041e687503a90ec6a9840ff9c2e3cd9f7b75e30f15030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5b14a69c1f1eb4e0963fb0a8a4264686

SHA1
673c2da772057479b5cf0076004dcc77a1652334

SHA256
e8c6c747966cdadf5baa28497a80b46b3b6c4ddaf169c694fed4e926472d1ef0

SHA512
f4ddd090de24111f050908650829801748d5f7da84102a72defdf1b5c99372087af66971d26567cd4eb5c457b8b22a1d9c7acedc69c252818b7676bbbfd01617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6ETIP3O1\PCClientBootstrapper[1].json

Filesize
2KB

MD5
5f6a61a8cb63e4900c9025b62a91e249

SHA1
da234df3682bdc17ed5781f92b05cb643793c379

SHA256
9324c2c947454f1e0e8c250c7cdeca59f745a03fc03c6710e7f951404e34b5ea

SHA512
62b9e2e5fa2b0989cae320722228a1bfe409b82917112bcbe8e07de9668e2deff8e1e4ab2c0ee376af2770c15aa602a3f5da589575d1958010168264b4444b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
5f1d8de7d550bfecb081ff9e6ac353f4

SHA1
49ea508cbc94bc1a31f03bc152748399342393cf

SHA256
d87dfdd108a865959d134f83becff634c61d24073109cf6a0b28a314ade91336

SHA512
fa8b23a49ea3927e62eeb2d088193daf349eeaf317828c58a85b123e27199db2863ac067615cc8f1cdcd6af3ed34d3e5cb9fb9160b013da5c84fe61943ca8dd9

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
memory/3672-157-0x0000000000D50000-0x0000000000E41000-memory.dmp

Filesize
964KB

Download
memory/3672-164-0x0000000000D50000-0x0000000000E41000-memory.dmp

Filesize
964KB

Download
memory/3672-165-0x0000000001470000-0x0000000001D2A000-memory.dmp

Filesize
8.7MB

Download
memory/4608-154-0x0000000000D50000-0x0000000006352000-memory.dmp

Filesize
86.0MB

Download
memory/4608-167-0x0000000000D50000-0x0000000006352000-memory.dmp

Filesize
86.0MB

Download
memory/4856-187-0x00007FFA29EC0000-0x00007FFA29ED5000-memory.dmp

Filesize
84KB

Download
memory/4856-206-0x00007FFA21C90000-0x00007FFA21C9C000-memory.dmp

Filesize
48KB

Download
memory/4856-172-0x00007FFA3A7B0000-0x00007FFA3A7BD000-memory.dmp

Filesize
52KB

Download
memory/4856-173-0x00007FFA332C0000-0x00007FFA332D8000-memory.dmp

Filesize
96KB

Download
memory/4856-174-0x00007FFA32DA0000-0x00007FFA32DCC000-memory.dmp

Filesize
176KB

Download
memory/4856-175-0x00007FFA251E0000-0x00007FFA25215000-memory.dmp

Filesize
212KB

Download
memory/4856-176-0x00007FFA24570000-0x00007FFA2459F000-memory.dmp

Filesize
188KB

Download
memory/4856-177-0x00007FFA21CE0000-0x00007FFA21DA1000-memory.dmp

Filesize
772KB

Download
memory/4856-178-0x00007FFA32B60000-0x00007FFA32B7C000-memory.dmp

Filesize
112KB

Download
memory/4856-179-0x00007FFA3A2F0000-0x00007FFA3A309000-memory.dmp

Filesize
100KB

Download
memory/4856-181-0x00007FFA3A740000-0x00007FFA3A74D000-memory.dmp

Filesize
52KB

Download
memory/4856-183-0x00007FFA3A2E0000-0x00007FFA3A2EA000-memory.dmp

Filesize
40KB

Download
memory/4856-182-0x00007FFA24970000-0x00007FFA2499C000-memory.dmp

Filesize
176KB

Download
memory/4856-184-0x00007FFA24230000-0x00007FFA2425E000-memory.dmp

Filesize
184KB

Download
memory/4856-185-0x00007FFA1E8B0000-0x00007FFA1EC27000-memory.dmp

Filesize
3.5MB

Download
memory/4856-186-0x00007FFA20140000-0x00007FFA201F7000-memory.dmp

Filesize
732KB

Download
memory/4856-170-0x00007FFA3A840000-0x00007FFA3A864000-memory.dmp

Filesize
144KB

Download
memory/4856-169-0x00007FFA1EC30000-0x00007FFA1F094000-memory.dmp

Filesize
4.4MB

Download
memory/4856-188-0x00007FFA20020000-0x00007FFA20138000-memory.dmp

Filesize
1.1MB

Download
memory/4856-189-0x00007FFA251C0000-0x00007FFA251DE000-memory.dmp

Filesize
120KB

Download
memory/4856-190-0x00007FFA1F5F0000-0x00007FFA1F761000-memory.dmp

Filesize
1.4MB

Download
memory/4856-191-0x00007FFA23AE0000-0x00007FFA23B19000-memory.dmp

Filesize
228KB

Download
memory/4856-192-0x00007FFA389C0000-0x00007FFA389CB000-memory.dmp

Filesize
44KB

Download
memory/4856-193-0x00007FFA337D0000-0x00007FFA337DB000-memory.dmp

Filesize
44KB

Download
memory/4856-194-0x00007FFA33160000-0x00007FFA3316C000-memory.dmp

Filesize
48KB

Download
memory/4856-195-0x00007FFA33140000-0x00007FFA3314B000-memory.dmp

Filesize
44KB

Download
memory/4856-196-0x00007FFA2C960000-0x00007FFA2C96C000-memory.dmp

Filesize
48KB

Download
memory/4856-199-0x00007FFA24210000-0x00007FFA2421D000-memory.dmp

Filesize
52KB

Download
memory/4856-200-0x00007FFA23FC0000-0x00007FFA23FCE000-memory.dmp

Filesize
56KB

Download
memory/4856-201-0x00007FFA22090000-0x00007FFA2209C000-memory.dmp

Filesize
48KB

Download
memory/4856-202-0x00007FFA21CD0000-0x00007FFA21CDC000-memory.dmp

Filesize
48KB

Download
memory/4856-203-0x00007FFA21CC0000-0x00007FFA21CCB000-memory.dmp

Filesize
44KB

Download
memory/4856-205-0x00007FFA21CA0000-0x00007FFA21CAC000-memory.dmp

Filesize
48KB

Download
memory/4856-171-0x00007FFA3A7C0000-0x00007FFA3A7CF000-memory.dmp

Filesize
60KB

Download
memory/4856-207-0x00007FFA21C80000-0x00007FFA21C8D000-memory.dmp

Filesize
52KB

Download
memory/4856-208-0x00007FFA21C60000-0x00007FFA21C72000-memory.dmp

Filesize
72KB

Download
memory/4856-209-0x00007FFA21C50000-0x00007FFA21C5C000-memory.dmp

Filesize
48KB

Download
memory/4856-204-0x00007FFA21CB0000-0x00007FFA21CBB000-memory.dmp

Filesize
44KB

Download
memory/4856-210-0x00007FFA21660000-0x00007FFA21674000-memory.dmp

Filesize
80KB

Download
memory/4856-211-0x00007FFA21630000-0x00007FFA21644000-memory.dmp

Filesize
80KB

Download
memory/4856-212-0x00007FFA21610000-0x00007FFA2162B000-memory.dmp

Filesize
108KB

Download
memory/4856-198-0x00007FFA24220000-0x00007FFA2422C000-memory.dmp

Filesize
48KB

Download
memory/4856-213-0x00007FFA20660000-0x00007FFA20675000-memory.dmp

Filesize
84KB

Download
memory/4856-214-0x00007FFA203B0000-0x00007FFA203EF000-memory.dmp

Filesize
252KB

Download
memory/4856-215-0x00007FFA1F5D0000-0x00007FFA1F5E6000-memory.dmp

Filesize
88KB

Download
memory/4856-197-0x00007FFA2A250000-0x00007FFA2A25B000-memory.dmp

Filesize
44KB

Download
memory/4856-217-0x00007FFA21650000-0x00007FFA21660000-memory.dmp

Filesize
64KB

Download
memory/4856-218-0x00007FFA20680000-0x00007FFA20693000-memory.dmp

Filesize
76KB

Download
memory/4856-219-0x00007FFA21600000-0x00007FFA2160E000-memory.dmp

Filesize
56KB

Download
memory/4856-220-0x00007FFA1F5A0000-0x00007FFA1F5CB000-memory.dmp

Filesize
172KB

Download
memory/4856-221-0x00007FFA1E660000-0x00007FFA1E8AE000-memory.dmp

Filesize
2.3MB

Download
memory/4856-228-0x00007FFA24570000-0x00007FFA2459F000-memory.dmp

Filesize
188KB

Download
memory/4856-223-0x00007FFA1EC30000-0x00007FFA1F094000-memory.dmp

Filesize
4.4MB

Download
memory/4856-224-0x00007FFA3A840000-0x00007FFA3A864000-memory.dmp

Filesize
144KB

Download
memory/4856-225-0x00007FFA21650000-0x00007FFA21660000-memory.dmp

Filesize
64KB

Download
memory/4856-226-0x00007FFA3A740000-0x00007FFA3A74D000-memory.dmp

Filesize
52KB

Download
memory/4856-227-0x00007FFA24970000-0x00007FFA2499C000-memory.dmp

Filesize
176KB

Download
memory/4856-230-0x00007FFA21CE0000-0x00007FFA21DA1000-memory.dmp

Filesize
772KB

Download
memory/4856-231-0x00007FFA24570000-0x00007FFA2459F000-memory.dmp

Filesize
188KB

Download
memory/4856-232-0x00007FFA21CE0000-0x00007FFA21DA1000-memory.dmp

Filesize
772KB

Download
memory/4856-229-0x00007FFA3A7B0000-0x00007FFA3A7BD000-memory.dmp

Filesize
52KB

Download
memory/4856-233-0x00007FFA332C0000-0x00007FFA332D8000-memory.dmp

Filesize
96KB

Download
memory/4856-234-0x00007FFA32DA0000-0x00007FFA32DCC000-memory.dmp

Filesize
176KB

Download