e106dc57418b5286dac7ee1921920c7c6617c4480a6c983c274ab025ec31cc7b

Analysis

max time kernel
130s
max time network
87s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/01/2023, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup - Extravi's ReShade-Preset.exe
Size

1.9MB
MD5

34d7a50686bff4cc31569af93d734561
SHA1

98c3b64a64ef7b608412f0bbbb1e606fda77e0b6
SHA256

e106dc57418b5286dac7ee1921920c7c6617c4480a6c983c274ab025ec31cc7b
SHA512

1874c502649cad7c61dd2261b12c6609780c554496ad233f0cdfb50280c4fe21753ccd8a3f73000a96f18b057a2971c7cd52f4ab852bfd3a0de6f38a3afe0cf3
SSDEEP

49152:3R6cGVgvztCtGe+sbLAChFbIzR7S0OzHl+vMTNTtC9:3RVGVYz4LXrzA77Oz40TRc9

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1540	RobloxPlayerLauncher.exe
1628	RobloxPlayerLauncher.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe

Loads dropped DLL 15 IoCs

pid	Process
604	Setup - Extravi's ReShade-Preset.exe
604	Setup - Extravi's ReShade-Preset.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AvatarEditorImages\CircleCutoutLarge.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestSnapshot-edcba0e9-3.1.1\JestSnapshot\SnapshotResolver.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-e5bec545-6ef031c0\RoduxFriends\Reducers\Friends\requests\sourceUniverseIds.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\MenuBar\icon_chat.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Settings\Radial\BottomRightSelected.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ViewSelector\left_hover_zh_cn.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-0195bf64-20bb1a25\ExperienceChat\BubbleChat\BlankBubble\BlankBubble.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\NetworkingContacts-96003ad7-1.7.0\NetworkingContacts\createRequestThunks.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-9c8468d8-8a7220fd\ReactReconciler\ReactFiberContext.new.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\TestEZJestAdapter\ChalkLua.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\Thumbnailing\Thumbnailing\ColorUtility.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\grid2.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\PluginManagement\checked_dark.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\PluginManagement\checked_light.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Settings\MenuBarIcons\ReportAbuseTab.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-0195bf64-20bb1a25\ExperienceChat\AppLayout\AppLayout.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\roblox_http-request\http-request\RequestFunctions\MockRequest.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Core\Style\StyleConsumer.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\UniversalApp\Video\VideoProtocol.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\RobloxAppUIBloxConfig.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\Requests\GetCanSendAndCanCustomizeInvites.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialReducerAdaptors\SocialReducerAdaptors\dependencies.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\TestMatchers\toHaveSameMembers.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\Requests\SendGameLinkNotification.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\DeveloperFramework\slider_knob_ouline.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\MaterialManager\Fill.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\RobloxRequests.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-0195bf64-20bb1a25\ExperienceChat\Actions\VoiceParticipantRemoved.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestSnapshot-edcba0e9-2.4.1\JestDiff.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-0ba25b72-b001fcbe\RoduxFriends\Selectors\getSortedByRankRecommendations.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\TestingAnalytics\mockLogger.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppLocales\RobloxAppLocales\Locales\hi-in.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\UserLib\UserLib\Enum\AvatarThumbnailTypes.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\TopBar\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxAliases\RoduxAliases\Actions\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\ErrorReporters\Backtrace\ProcessErrorStack.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\Stories\Private\PurchaseErrorPrompt.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-492710c6-1e7909bf\RoduxFriends\Actions\FriendRequestCreated.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\SharedUtils\SharedUtils\unwrapPromiseError.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\ReleaseHelpers\throttleUserId.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\tutils-04e2814e-937da4f7\tutils\fieldCount.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\textures\ui\LuaChat\9-slice\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\avatar\compositing\CompositQuad.mesh	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\avatar\scripts\module_grounding.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AppCommonLib\AppCommonLib\ThrottleUserId.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\SocialPanel\SocialPanelHeader\withFriendRequests.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\textures\ui\LuaChat\9-slice\chat-bubble-tip-right.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\JestFakeTimers-edcba0e9-3.1.1\JestMock.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\Shared-9c8468d8-8a7220fd\Shared\ReactSharedInternals\IsSomeRendererActing.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\User\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-24c5c11f-f6df649b\RoduxNetworking.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Menu\KeyLabel.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\particles\forcefield_vortex_color.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\roblox_networking-presence\networking-presence\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Analytics\Analytics\AnalyticsReporters\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\button_control_firstframe.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\PremiumUpsell\PremiumUpsellPrompt.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\DeveloperFramework\UIOff_dark.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\DeviceEmulator\emulator.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\PlayerList\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\UserInputPlaybackPlugin\ArrowCursor.png	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2E21874-666F-4A9E-B5BA-D90D6B09FFA4}\Policy = "3"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EAB78E58-760C-4650-B149-2101D2A13368}\AppName = "RobloxPlayerBeta.exe"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2E21874-666F-4A9E-B5BA-D90D6B09FFA4}\AppName = "RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EAB78E58-760C-4650-B149-2101D2A13368}	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2E21874-666F-4A9E-B5BA-D90D6B09FFA4}	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2E21874-666F-4A9E-B5BA-D90D6B09FFA4}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EAB78E58-760C-4650-B149-2101D2A13368}\Policy = "3"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EAB78E58-760C-4650-B149-2101D2A13368}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\"	RobloxPlayerLauncher.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\roblox-player\shell\open	RobloxPlayerLauncher.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe
1540	RobloxPlayerLauncher.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1496	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1496	AUDIODG.EXE
Token: 33	1496	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1496	AUDIODG.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 1540	604	Setup - Extravi's ReShade-Preset.exe	26
PID 604 wrote to memory of 1540	604	Setup - Extravi's ReShade-Preset.exe	26
PID 604 wrote to memory of 1540	604	Setup - Extravi's ReShade-Preset.exe	26
PID 604 wrote to memory of 1540	604	Setup - Extravi's ReShade-Preset.exe	26
PID 604 wrote to memory of 1540	604	Setup - Extravi's ReShade-Preset.exe	26
PID 604 wrote to memory of 1540	604	Setup - Extravi's ReShade-Preset.exe	26
PID 604 wrote to memory of 1540	604	Setup - Extravi's ReShade-Preset.exe	26
PID 1540 wrote to memory of 1628	1540	RobloxPlayerLauncher.exe	29
PID 1540 wrote to memory of 1628	1540	RobloxPlayerLauncher.exe	29
PID 1540 wrote to memory of 1628	1540	RobloxPlayerLauncher.exe	29
PID 1540 wrote to memory of 1628	1540	RobloxPlayerLauncher.exe	29
PID 1540 wrote to memory of 1628	1540	RobloxPlayerLauncher.exe	29
PID 1540 wrote to memory of 1628	1540	RobloxPlayerLauncher.exe	29
PID 1540 wrote to memory of 1628	1540	RobloxPlayerLauncher.exe	29

C:\Users\Admin\AppData\Local\Temp\Setup - Extravi's ReShade-Preset.exe
"C:\Users\Admin\AppData\Local\Temp\Setup - Extravi's ReShade-Preset.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe
  "C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=142432bbee131ec1e680ff4280b83f65c7d4b91b --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5c8,0x5cc,0x5d0,0x5a4,0x5e0,0xe50af4,0xe50b04,0xe50b14
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1628

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1432

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1484

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:980

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
ef1445b7eb848cdf5da9727ee6398adc

SHA1
7a4fd9f16b37af87aa00ea5b8cd03926275d1c7f

SHA256
c1ad0ea5a9ef9dca2957928b6b74954b7bd144b9dc49d7c0705a1b41feee4bb9

SHA512
0b1803249cede717e42ac8cc17f410f2713a901a211d0ebf0972d40461287b8353b131dbe8ab770523581a1905ae1c9a69da93272b1a1ec0b0e1bc0b6d65c6fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
70b57201620f585da8e35958af06faac

SHA1
cd7620b5c1c2cf91064b014e4aef4a1f9680b951

SHA256
399108d2a8e97ddf2d55704bdc951c6bc4400554ec0f78b187c801ecb39085b3

SHA512
2211f1bca562a0df04ad1fbde9d9ad1c234b75a43612d9bac292a60424107855599615292792482adb1ff078b2f0ba5e4208310a21ead5c1dec90b2bee4649a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
b57d2f4b55606d727fa17a6fe9c4c417

SHA1
7a25fa51ef3a0c8763f8826514b8d2fba8742f96

SHA256
833782e2bcb61222ba8d8a79eaaca1f6f43f526a072308dc400bc6c26d23f3c3

SHA512
35246d2cca4d20c1c089fa82cced4ed8b9ef0136126c8bcfb36515cec0dcf60cf218b43652b4cae09f0c1b74bc65e6a755570ddc2c9f5c8d941051ff8fc162ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
f2fea3fa0fcf95194f6a83bbd44ce5ae

SHA1
3d62b1ad4fc3b6f1f66c19f9e007eb9897e7e464

SHA256
f5962c922476a34f26996c1b2955a4877a73e05d9cd902ab427c84efc3f48a21

SHA512
5f6119c8073b4915de28faa84c686bd78eacae39b356a97aa966f8d642d8d29853a7853bac1f5e8b2f84357756a1ff93a53dc82d2fd3c45b43b1c169031f6d21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
172235b469538aaab021a73417b85bf4

SHA1
64731234e258d74b5effcde49806fe2b5679a0f6

SHA256
9bb127c9e1f34f28287ea5827cee4896e5747002a91631917ac9e0288703a638

SHA512
d894f7a0013474092990ae96f0cbc2f73581b212fb99286a06bcab3e2fd018be024b8ba5e4f1b00d6207f4bcbdc6c533bbad52aedd5836e6383435a499e23739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f193bf682ab3a91fe2df10830c738bf2

SHA1
bff979468bcf9d49f60a245b653f86e9a1d189ab

SHA256
c83a75f3c5eba6137449cd753df39a305305bb72a3d8fda5b501edb71e47e2d4

SHA512
395f645c2f6c2efb21f616ede3efecb7b6a9341f6847250950535be6ec64b278f2c0f876ed2e38eb4a5d6c7dc48c10ebb8f59beed723bf746583cfd879fb194c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
dd7315b9c0ae4ae12e29246fad16c99a

SHA1
793ac40dd5f02e224a89b6759319533b0dad5030

SHA256
9e24def1ea4352dd7ff1938fc73e17c0d98692d39b054a4988803be00ba21299

SHA512
f01c832b39188b9911fb03103d342f7dbc9649d8b49bc7be2574283d84a7986dbbb395905f14530f06f1f560b31db99ba2168960428e43b9b4df325dbd31d43e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
924d771cf2d1f309bfd81d67200ff0d9

SHA1
d06de281f6436f053f3a6c6e9c0c8b50222e6a21

SHA256
5cb83cef2cbecc6a8c958e4b8ecf62ad379c00f45ee7122e241fefc960ad3a37

SHA512
b6f23801804f50f7fb3c264a189f96eeacc3171fdfa5254b5c3f3c6810430453aefb6b27377bbe26de5181161e7092fd84e271a9c795cad4e731255925604fb0

Download Submit
C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\PCClientBootstrapper[1].json

Filesize
2KB

MD5
5f6a61a8cb63e4900c9025b62a91e249

SHA1
da234df3682bdc17ed5781f92b05cb643793c379

SHA256
9324c2c947454f1e0e8c250c7cdeca59f745a03fc03c6710e7f951404e34b5ea

SHA512
62b9e2e5fa2b0989cae320722228a1bfe409b82917112bcbe8e07de9668e2deff8e1e4ab2c0ee376af2770c15aa602a3f5da589575d1958010168264b4444b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
f6784fcbb4db1a9ae3256db7ed99e1de

SHA1
e1fafa63278a803894a1caaa20741a5cf17d7383

SHA256
04668587a359f95ff9c72050ee31a5953e0006e20f694c654e07294cb1b5f4c0

SHA512
ba261108132dee6cb17b1cba2d35dc0a2359f72b23032217281216ccefb25984c94166cf54e0bec9ba531fdfde59a3e89490f2615afa7a95874022caf2183869

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
eb1a2bc52160cfbe07fee32865f43902

SHA1
75fb41506d11057bfaa2d6f83f2d1fe1267286b4

SHA256
9be6907ffba895e95a1aaadd9e23dcea5f29e87d23e96f07ddbe3239326f0b4a

SHA512
19a38a95a750a0e3681e96f29b4fe7b8b0fe42f19f0261241b64f0be879575258a351c08a8fff7f60440b5ee5d391d4a33994a442aa254d5f0fae7913b87b010

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
eb1a2bc52160cfbe07fee32865f43902

SHA1
75fb41506d11057bfaa2d6f83f2d1fe1267286b4

SHA256
9be6907ffba895e95a1aaadd9e23dcea5f29e87d23e96f07ddbe3239326f0b4a

SHA512
19a38a95a750a0e3681e96f29b4fe7b8b0fe42f19f0261241b64f0be879575258a351c08a8fff7f60440b5ee5d391d4a33994a442aa254d5f0fae7913b87b010

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
eb1a2bc52160cfbe07fee32865f43902

SHA1
75fb41506d11057bfaa2d6f83f2d1fe1267286b4

SHA256
9be6907ffba895e95a1aaadd9e23dcea5f29e87d23e96f07ddbe3239326f0b4a

SHA512
19a38a95a750a0e3681e96f29b4fe7b8b0fe42f19f0261241b64f0be879575258a351c08a8fff7f60440b5ee5d391d4a33994a442aa254d5f0fae7913b87b010

Download Submit
\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerBeta.exe

Filesize
57.3MB

MD5
a2b4587af8afdc7411ee49d85156dbb1

SHA1
151c8cdb437ac305a49d82ef18207e0ffd17745e

SHA256
22f5f7156a4adc3e237b8fa415cabc89cd60e9e00db287a2b2111ab489aa4263

SHA512
3e877b74ef9266aba29cd45b5a3c7b04ac54bb523c9b929150dfa7a0e3311b3430ad368de6cfbb0b7839082f8196c64d227b070bed0a1199a25388216f49f9fd

Download Submit
\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerBeta.exe

Filesize
57.3MB

MD5
a2b4587af8afdc7411ee49d85156dbb1

SHA1
151c8cdb437ac305a49d82ef18207e0ffd17745e

SHA256
22f5f7156a4adc3e237b8fa415cabc89cd60e9e00db287a2b2111ab489aa4263

SHA512
3e877b74ef9266aba29cd45b5a3c7b04ac54bb523c9b929150dfa7a0e3311b3430ad368de6cfbb0b7839082f8196c64d227b070bed0a1199a25388216f49f9fd

Download Submit
\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
\Users\Admin\AppData\Local\Temp\nst5350.tmp\NScurl.dll

Filesize
3.6MB

MD5
aaeb8f600472be5a576dd6650ef095dc

SHA1
289dcb90640dedf59c4d71b020eec8198f459619

SHA256
8c354ef302075c1b07a713b0b3ab833d8549e61e5c22132fe6e3d1d11647e60e

SHA512
888376bf44d61477bd24b68947f2ae21c79bcbb2fb778c898fff04e6d85073d650e370c8af70867ab8f6a956ed434acb03c01e663993f1de98e7622928b852d2

Download Submit
memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/980-91-0x0000000072B01000-0x0000000072B03000-memory.dmp

Filesize
8KB

Download
memory/1432-82-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download