e106dc57418b5286dac7ee1921920c7c6617c4480a6c983c274ab025ec31cc7b

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2023, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup - Extravi's ReShade-Preset.exe
Size

1.9MB
MD5

34d7a50686bff4cc31569af93d734561
SHA1

98c3b64a64ef7b608412f0bbbb1e606fda77e0b6
SHA256

e106dc57418b5286dac7ee1921920c7c6617c4480a6c983c274ab025ec31cc7b
SHA512

1874c502649cad7c61dd2261b12c6609780c554496ad233f0cdfb50280c4fe21753ccd8a3f73000a96f18b057a2971c7cd52f4ab852bfd3a0de6f38a3afe0cf3
SSDEEP

49152:3R6cGVgvztCtGe+sbLAChFbIzR7S0OzHl+vMTNTtC9:3RVGVYz4LXrzA77Oz40TRc9

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3504	RobloxPlayerLauncher.exe
348	RobloxPlayerLauncher.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe

Loads dropped DLL 1 IoCs

pid	Process
5020	Setup - Extravi's ReShade-Preset.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\img_scalebar_arrows_border.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioToolbox\Search.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Controls\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Settings\MenuBarAssets\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\addEvent_border.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\img_scrubberhead.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\CollisionGroupsEditor\rename-hover.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\particles\common_alpha.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\DPadSheet.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\avatar\heads\headI.mesh	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\animation_editor_32x32.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\RoactStudioWidgets\slider_bar_dark.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\InGameMenu\XboxController.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\PlayerList\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Settings\MenuBarAssets\MenuSelection.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\PlatformContent\pc\textures\pebble\normal.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ClassImages.PNG	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VoiceChat\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VoiceChat\New\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\models\ViewSelector\Basic.mesh	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\mtrl_rock_2022.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\icon_ROBUX.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\DeveloperFramework\Votes\rating_up_white.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioSharedUI\ScrollBarTop.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioToolbox\announcementConstruction.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioToolbox\AssetPreview\star_stroke.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\sky\clouds-bc4.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\mt_terrain_import.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\InspectMenu\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\PlayerList\FollowingIcon.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Scroll\scroll-bottom.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\PivotEditor\HoveredPivot.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AssetManager\explorer.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\icon_regions_rotate.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Vehicle\SpeedBar.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\fonts\families\DenkOne.json	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\button_pressed.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\mtrl_basalt_2022.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Settings\Players\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\img_key_indicator_border.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\MaterialManager\Grid_DT.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioSharedUI\sort.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\InspectMenu\Button_white.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Settings\Help\ResetIcon.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\PlatformContent\pc\textures\brick\diffuse.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\image_scrollbar_vertical_mid.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\GameSettings\ArrowLeft.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Settings\Radial\Menu.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\TopBar\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\AnimationEditor\button_zoom_default_right.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\StudioToolbox\AssetConfig\copy_2x.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\PerformanceStats\TargetLine.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\TopBar\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\shadowblurmask.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\RoactStudioWidgets\toggle_off_light.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\TerrainTools\icon_regions_resize.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\Input\DashedLine90.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\ui\TopBar\close.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\UserInputPlaybackPlugin\TapCursor.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-e3de6c198f2c469b\content\textures\Debugger\Breakpoints\[email protected]	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9CE5AEFB-E540-4DC5-85F0-2E754786A1E6}	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9CE5AEFB-E540-4DC5-85F0-2E754786A1E6}\AppName = "RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9CE5AEFB-E540-4DC5-85F0-2E754786A1E6}\Policy = "3"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9CE5AEFB-E540-4DC5-85F0-2E754786A1E6}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-e3de6c198f2c469b\\"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c0000000100000004000000000800000b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3504	RobloxPlayerLauncher.exe
3504	RobloxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3504	5020	Setup - Extravi's ReShade-Preset.exe	84
PID 5020 wrote to memory of 3504	5020	Setup - Extravi's ReShade-Preset.exe	84
PID 5020 wrote to memory of 3504	5020	Setup - Extravi's ReShade-Preset.exe	84
PID 3504 wrote to memory of 348	3504	RobloxPlayerLauncher.exe	87
PID 3504 wrote to memory of 348	3504	RobloxPlayerLauncher.exe	87
PID 3504 wrote to memory of 348	3504	RobloxPlayerLauncher.exe	87

C:\Users\Admin\AppData\Local\Temp\Setup - Extravi's ReShade-Preset.exe
"C:\Users\Admin\AppData\Local\Temp\Setup - Extravi's ReShade-Preset.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe
  "C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=142432bbee131ec1e680ff4280b83f65c7d4b91b --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x79c,0x7a0,0x7a4,0x798,0x6e4,0x11e0af4,0x11e0b04,0x11e0b14
    3⤵
    - Executes dropped EXE
    PID:348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\AppData\Local\Extravi's ReShade-Preset\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
88e64ec3895db7e1dadeb7e28a149642

SHA1
b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c

SHA256
6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

SHA512
f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1TQVPNOO\PCClientBootstrapper[1].json

Filesize
2KB

MD5
5f6a61a8cb63e4900c9025b62a91e249

SHA1
da234df3682bdc17ed5781f92b05cb643793c379

SHA256
9324c2c947454f1e0e8c250c7cdeca59f745a03fc03c6710e7f951404e34b5ea

SHA512
62b9e2e5fa2b0989cae320722228a1bfe409b82917112bcbe8e07de9668e2deff8e1e4ab2c0ee376af2770c15aa602a3f5da589575d1958010168264b4444b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
2cc99096230ee1caa1c85bb1800e16b3

SHA1
7ee969fe53b681e62fd58b538de390818b3b7f81

SHA256
f248735bd8776604f4a7050affc62f0cace23af93f27a11b34e9b7b3f1c2ef0f

SHA512
7b1d72a86ae9e2dc6486435b6836b485df1cda271bfd0bc6781958a1de87a5ac884f8cdf69b860daa8ea57d3e720ebe0b5d657e3a2e43b1c78a335039063a483

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9DCC.tmp\NScurl.dll

Filesize
3.6MB

MD5
aaeb8f600472be5a576dd6650ef095dc

SHA1
289dcb90640dedf59c4d71b020eec8198f459619

SHA256
8c354ef302075c1b07a713b0b3ab833d8549e61e5c22132fe6e3d1d11647e60e

SHA512
888376bf44d61477bd24b68947f2ae21c79bcbb2fb778c898fff04e6d85073d650e370c8af70867ab8f6a956ed434acb03c01e663993f1de98e7622928b852d2

Download Submit