Malware Analysis Report

2024-11-30 15:56

Sample ID 230124-bq7q6agc64
Target SirCookie.zip
SHA256 a1d03a6d7eb39e9bb6aca13b8d9b3da918f04998b4333070374a48257b683455
Tags
discovery evasion spyware stealer trojan mercurialgrabber
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1d03a6d7eb39e9bb6aca13b8d9b3da918f04998b4333070374a48257b683455

Threat Level: Known bad

The file SirCookie.zip was found to be: Known bad.

Malicious Activity Summary

discovery evasion spyware stealer trojan mercurialgrabber

Mercurial Grabber Stealer

Mercurialgrabber family

Looks for VirtualBox Guest Additions in registry

Executes dropped EXE

Looks for VMWare Tools registry key

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-24 01:22

Signatures

Mercurialgrabber family

mercurialgrabber

Analysis: behavioral12

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20220812-en

Max time kernel

141s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Bunifu_UI_v1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Bunifu_UI_v1.5.3.dll,#1

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 8.253.225.254:80 tcp
N/A 8.253.225.254:80 tcp
N/A 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20221111-en

Max time kernel

30s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
N/A 88.221.25.153:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20221111-en

Max time kernel

27s

Max time network

30s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\BetterSocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\BetterSocks.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20221111-en

Max time kernel

105s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\BetterSocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\BetterSocks.dll,#1

Network

Country Destination Domain Proto
N/A 20.190.160.17:443 tcp
N/A 93.184.221.240:80 tcp
N/A 40.79.150.121:443 tcp
N/A 104.80.225.205:443 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\MenuBar\icon_safety_off.png C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-9c8468d8-8a7220fd\ReactReconciler\ReactFiberLazyComponent.new.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\ModalBottomSheet\__stories__\Option9.story.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\Analytics.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\avatar\scripts\humanoidAnimatePlayEmote.rbxm C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\sky\cloudDetail3D.dds C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\Debugger\Step-Over.png C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\GraphQLServer\graphql\resolvers\ScalarResolver.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\Common\findFirstImageInMedia.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-24c5c11f-f6df649b\RoduxFriends\Reducers\Friends\utils\removeUser.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SquadWidget\SquadWidget\SquadLobby\Components\SquadLobbyActionBar\SquadLobbyActionBar.story.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-2.4.1\RobloxShared\RobloxApiDump.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxUsers\RoduxUsers\Actions\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphqlHttpArtifacts\GraphqlHttpArtifacts\experience-media-fail\games.roblox.com\get.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\AppTempCommon\Temp\trimCharacterFromEndString.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ViewSelector\front.png C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\models\ViewSelector\ViewSelector.rbxm C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\jest.config.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\ContactsList\Components\ContactsRevokedAccessDialog\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\TestHelpers\validateEvent.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-3.2.1\JestUtil\pluralize.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\roblox_rodux-presence\rodux-presence\Reducer\Presence\byPlaceId.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\PlatformContent\pc\textures\water\normal_22.dds C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\rodux-networking-6492c3b7-082e44c0\rodux-networking\NetworkStatus\setStatus.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SquadWidget\SquadWidget\SquadLobby\Components\SquadInviteTopBar\SquadInviteTopBar.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\DiscoverabilityModal\DiscoverabilityModal\Components\DiscoverabilityOverlay\DiscoverabilityOverlayContainer.test.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\AvatarEditorImages\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\MaterialManager\chevrons-left.png C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\ExperienceChat\ChatInput\ChatInputApp.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.3.4\LuauPolyfill\Symbol\.robloxrc C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\String\Number.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\AppContainer\AppContainer.story.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestEach-edcba0e9-3.2.1\JestEach\table\array.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RecordPlayback\RecordPlayback\ArtifactLoader.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\configs\DateTimeLocaleConfigs\de-de.json C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\PlayerList\NewAvatarBackground.png C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\enumerate.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-0ba25b72-b001fcbe\Rodux.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-492710c6-1e7909bf\RoduxFriends\Selectors\getFriendshipStatusByUserId.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\Requests\GamesMultigetPlaceDetails.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppLocales\RobloxAppLocales\Locales\ko-kr.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\UniversalAppPolicy\SharedFlags.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TestUtils\ReactRoblox.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\AvatarEditorImages\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\InspectMenu\Button_outline.png C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\class.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoactGamepad\RoactGamepad\Test\MockEngine.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\RoduxFriends\Actions\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\Components\CarouselUserContextualInfo\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\InspectMenu\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\getOtherDisplayNameInWhisperChannel.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\Locale\Locales\it-it.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\React-a406e214-4230f473\Shared.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-24c5c11f-f6df649b\RoduxNetworking.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\RoactPaginator\loadNextSymbol.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\DiscoverabilityModal\DiscoverabilityModal\Common\Constants.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\fonts\IndieFlower-Regular.ttf C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\MaterialManager\Gradient_Hover_DT.png C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\Utility\getModalShownEventData.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\NetworkingPresence-1b011daa-31f6545b\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{755DBA41-F5E3-4F22-822E-1BA1E22979A1}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{755DBA41-F5E3-4F22-822E-1BA1E22979A1} C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{755DBA41-F5E3-4F22-822E-1BA1E22979A1}\AppName = "RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84025983-9531-43E4-AE79-FABDCDC2FDFD}\AppName = "RobloxPlayerBeta.exe" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84025983-9531-43E4-AE79-FABDCDC2FDFD}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84025983-9531-43E4-AE79-FABDCDC2FDFD}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84025983-9531-43E4-AE79-FABDCDC2FDFD} C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{755DBA41-F5E3-4F22-822E-1BA1E22979A1}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\shell C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp

"C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp"

C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp

C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x6b0,0x630,0x7cc,0x7c0,0x7b8,0xa4332c,0xa4333c,0xa4334c

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 clientsettings.api.roblox.com udp
N/A 128.116.125.3:80 clientsettings.api.roblox.com tcp
N/A 8.8.8.8:53 ephemeralcounters.api.roblox.com udp
N/A 128.116.125.3:80 ephemeralcounters.api.roblox.com tcp
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 versioncompatibility.api.roblox.com udp
N/A 128.116.125.3:80 versioncompatibility.api.roblox.com tcp
N/A 8.8.8.8:53 setup.roblox.com udp
N/A 52.216.206.109:80 setup.roblox.com tcp
N/A 8.8.8.8:53 www.roblox.com udp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 8.8.8.8:53 setup.rbxcdn.com udp
N/A 23.72.252.169:80 setup.rbxcdn.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 8.8.8.8:53 clientsettingscdn.roblox.com udp
N/A 23.0.250.209:443 clientsettingscdn.roblox.com tcp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 8.8.8.8:53 setup.rbxcdn.qq.com udp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 8.8.8.8:53 clientsettingscdn.roblox.qq.com udp
N/A 8.8.8.8:53 setup.rbxcdn.com udp
N/A 8.8.8.8:53 clientsettingscdn.roblox.com udp
N/A 8.8.8.8:53 setup-ak.rbxcdn.com udp
N/A 8.8.8.8:53 setup-ll.rbxcdn.com udp
N/A 8.8.8.8:53 setup-cfly.rbxcdn.com udp
N/A 8.8.8.8:53 setup-hw.rbxcdn.com udp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 23.72.252.169:443 setup-ak.rbxcdn.com tcp
N/A 13.107.21.200:443 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 udp
N/A 20.189.173.15:443 tcp
N/A 2.18.109.224:443 tcp

Files

memory/3304-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

memory/4380-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

MD5 b9704cc0069123c431aedbc1f2f3772a
SHA1 af349c82475bec5c8dfa4437ce5d1c7a05bda7e3
SHA256 583fd6145c1cf3c48e56c62bbf5ff78e2142dd7203a6a720efcd8de54cf7b175
SHA512 57d65b8b1402f3247903ea99e8897177c1333be1fb6db57b76137d616f8caa13aa86bfdf53acc2f4641de64589445e5fad4e49d64cfaa45a38afad9f2c2cbf3d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZX6MAMIN\PCClientBootstrapper[1].json

MD5 1e0c3075286b70c6b4a505e2c6b2cb91
SHA1 b25782b6b3a1b4008dad1fe14c1a286d07b8cd30
SHA256 a666bb870aa2ed191dc0f77ba90cc41ffb47e3fb6d77b59bc67f22ed21cff19e
SHA512 1990f9b9637ccb147b14183b8d5bd8e66a3f267092293e153d8927b68755c8647462195105167ca4218f9a03c6c5cbcbd302b4187b8155795b0b2dabbefff869

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 6c6fb46b7a72aa2339059a4c9bd653b3
SHA1 fb9e988e1007c6a157facf57c8730cfdea601e53
SHA256 908c20cb38429cbafd88d18ecf77fbb3e3cbf82d4e6f05976df0f1dda6b9420e
SHA512 89d2a18f5ae4af1de5135a4c01985b0eb73242d03a26800743fa96ee869aab492b573bdae760b7a71ce0c3e077540e5b7db143eee01f4a7c9cc8ac8613805b73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 c4f91291b2b9f8ddd3c5b747107edd1d
SHA1 de55f5132dcc0b437bd41cd091b0a2c6ab581747
SHA256 e82b9ff71f2037cc46ec5f3b57b87ef2acfebadad6bf4b01ddc5b3a200918072
SHA512 2bfe5bf90bc78613afc28b113d3c5342e39811edcb2e1451fec3326226483ad2f461178bcdd90af75607be262ce2bb786c1f6e96e64deb51d7eccc112cfd7c5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 70adeb4c5eeda6de4011c1cb80d5b08c
SHA1 71db96a3928c314daa62852c6c2b01e69cfbf0d7
SHA256 94a5403d0c01981f2181ee3109945806df4dc2c15c29fe4aac5739b0e9966f5e
SHA512 01eae96663687ff7f5c00e549b15fa02b724e654314aabcb1e515265e1c9413b3f7fed2e21a88571431b564d6aff6f18b1b6b67230b843ff9144f434653667c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 3b7680ee1d0f2fd935753a23c39800cb
SHA1 2716d2ffa5f3a3daa7d66f7aae4f40f9e9f84910
SHA256 8b7533ea6ecb3078e28c233b69dcff9ebc6779a533ac6b175ecbaecea6b738e5
SHA512 8756c6b7241f5166c6b2f50b7a0b483ca6c16229ebc1e3c1c15c5ee71fa1433b38c111e389c2bf4fd481115faf2b59bdd0d34b60afb6a14d662b05b40cc7c0a9

Analysis: behavioral14

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20221111-en

Max time kernel

91s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 20.44.10.123:443 tcp
N/A 8.238.20.126:80 tcp
N/A 8.238.20.126:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.238.20.126:80 tcp
N/A 8.238.20.126:80 tcp
N/A 204.79.197.203:80 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20220812-en

Max time kernel

89s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 428 -p 1268 -ip 1268

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1268 -s 1708

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.128.233:443 discord.com tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 52.168.117.170:443 tcp
N/A 93.184.221.240:80 tcp

Files

memory/1268-132-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/1268-133-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

memory/1268-134-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20221111-en

Max time kernel

91s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Bunifu_UI_v1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Bunifu_UI_v1.5.3.dll,#1

Network

Country Destination Domain Proto
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 20.189.173.11:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20220812-en

Max time kernel

90s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\BetterSocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\BetterSocks.dll,#1

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 95.101.78.82:80 tcp
N/A 95.101.78.82:80 tcp
N/A 104.80.225.205:443 tcp
N/A 51.11.192.48:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20221111-en

Max time kernel

27s

Max time network

30s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Bunifu_UI_v1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Bunifu_UI_v1.5.3.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20220812-en

Max time kernel

42s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1808 -s 1100

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.136.232:443 discord.com tcp

Files

memory/1808-54-0x00000000010E0000-0x00000000010F0000-memory.dmp

memory/1400-55-0x0000000000000000-mapping.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20221111-en

Max time kernel

112s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 464 -p 4704 -ip 4704

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4704 -s 1712

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.135.232:443 discord.com tcp
N/A 20.42.73.24:443 tcp
N/A 93.184.220.29:80 tcp
N/A 8.247.211.254:80 tcp
N/A 178.79.208.1:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/4704-132-0x0000000000300000-0x0000000000310000-memory.dmp

memory/4704-133-0x00007FF8E22B0000-0x00007FF8E2D71000-memory.dmp

memory/4704-134-0x00007FF8E22B0000-0x00007FF8E2D71000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20221111-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Bunifu_UI_v1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Bunifu_UI_v1.5.3.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20220812-en

Max time kernel

139s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 20.42.65.89:443 tcp
N/A 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20220812-en

Max time kernel

38s

Max time network

42s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\BetterSocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\BetterSocks.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20220901-en

Max time kernel

135s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\VirtualizedList\VirtualizedList\Lists\BidirectionalFlatList.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\VirtualizedList\VirtualizedList\Lists\FillRateHelper.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Fetch\Dev\JestGlobals.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\getFFlagAutoSyncForContactImporterDisabled.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Emotes\TenFoot\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\typeComparators.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\PurchaseFlow\RobuxUpsell\RobuxUpsellFlow.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\installReducer\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VoiceChat\Misc\UnmuteAll.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphqlTag\GraphqlTag\__tests__\tests.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\ContactsList\Components\ContactsListLoadingView\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\NetworkingUsers\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\Url.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTestHelpers\SocialTestHelpers\TestHelpers\dumpInstanceTree.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\utilities\common\maybeDeepFreeze.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Cryo\Cryo\List\foldRight.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestConfig\JestConfig\readConfigFileAndSetRootDir.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-e5bec545-6ef031c0\Rodux.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Core\Style\Validator\validateThemedBackgroundImageInfo.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Plastic.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VoiceChat\New\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VoiceChat\SpeakerDark\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\dependencies.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\InfiniteScroller\InfiniteScroller\Components\TimeLogger.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FormFactor\FormFactor\FormFactorReducer.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\LuauPolyfill.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\Enums\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\fonts\Nunito-Regular.ttf C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestConsole-edcba0e9-2.4.1\JestConsole\types.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\TestEZJestAdapter\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-492710c6-1e7909bf\RoduxFriends\Selectors\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\__tests__\UnitTestHelpers\mountStyledFrame.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\UniversalAppPolicy.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\LegacyRbxGui\sandside.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\Dev\TagUtils.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\roblox_lumberyak-b6bd621d-e6abd03f\lumberyak\MockLogger.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Grid\DefaultMetricsGridView.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AppSystemBar\AppSystemBar\.robloxrc C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphqlHttpArtifacts\GraphqlHttpArtifacts\virtual-event-integration-success\apis.roblox.com\get-virtual-event.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\__tests__\astFromValue.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\__testUtils__\__tests__\genFuzzStrings.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestMatcherUtils-edcba0e9-2.4.1\JestMatcherUtils\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactFiberLazyComponent.new.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Analytics\Analytics\AnalyticsReporters\GoogleAnalytics.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactServiceTags\RoactServiceTags\AppLogging.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-instudio.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Controls\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\installReducer\shouldFocusChatInputBar.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsExtensionsProxy\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Backpack\Backpack_Down.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\ic-close-gray2.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxNetworking-fe052a05-3.0.2\RoduxNetworking\RequestBuilder\tutils.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Flags\getFStringContactImporterVariantForDev.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Settings\Help\BButtonDark.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuaSocialLibrariesDeps\llama.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactMutableSource.new.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-0ba25b72-b001fcbe\RoduxFriends\Actions\RecommendationDestroyed.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphqlHttpArtifacts\GraphqlHttpArtifacts\virtual-event-rsvps-success\apis.roblox.com\get.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\icons\GameDetails\social\Discord_large.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Emotes\Small\SegmentedCircle.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestRunner\JestEnvironment.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-9c8468d8-8a7220fd\ReactReconciler\ReactCapturedValue.lua C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\btn_newWhite.png C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11B276F2-0559-4679-BAA4-F2A4C9258AC4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562FB148-8BB4-40C0-A8C6-9D6E3A3BEFC8} C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562FB148-8BB4-40C0-A8C6-9D6E3A3BEFC8}\AppName = "RobloxPlayerBeta.exe" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562FB148-8BB4-40C0-A8C6-9D6E3A3BEFC8}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11B276F2-0559-4679-BAA4-F2A4C9258AC4}\AppName = "RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11B276F2-0559-4679-BAA4-F2A4C9258AC4}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562FB148-8BB4-40C0-A8C6-9D6E3A3BEFC8}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11B276F2-0559-4679-BAA4-F2A4C9258AC4} C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\shell C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1464 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1464 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1464 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1464 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1464 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1464 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1764 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1764 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1764 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1764 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1764 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1764 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
PID 1764 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

"C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp"

C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5ec,0x5f0,0x5f4,0x5c8,0x5fc,0x14d332c,0x14d333c,0x14d334c

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 clientsettings.api.roblox.com udp
N/A 128.116.125.3:80 clientsettings.api.roblox.com tcp
N/A 8.8.8.8:53 ephemeralcounters.api.roblox.com udp
N/A 128.116.125.3:80 ephemeralcounters.api.roblox.com tcp
N/A 8.8.8.8:53 versioncompatibility.api.roblox.com udp
N/A 128.116.125.3:80 versioncompatibility.api.roblox.com tcp
N/A 8.8.8.8:53 setup.roblox.com udp
N/A 54.231.200.168:80 setup.roblox.com tcp
N/A 8.8.8.8:53 www.roblox.com udp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 8.8.8.8:53 setup.rbxcdn.com udp
N/A 23.72.252.169:80 setup.rbxcdn.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 8.8.8.8:53 clientsettingscdn.roblox.com udp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 23.0.250.209:443 clientsettingscdn.roblox.com tcp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 23.0.250.209:443 clientsettingscdn.roblox.com tcp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 8.8.8.8:53 setup.rbxcdn.qq.com udp
N/A 8.8.8.8:53 clientsettingscdn.roblox.qq.com udp
N/A 8.8.8.8:53 setup.rbxcdn.com udp
N/A 8.8.8.8:53 clientsettingscdn.roblox.com udp
N/A 8.8.8.8:53 setup-ak.rbxcdn.com udp
N/A 8.8.8.8:53 setup-ll.rbxcdn.com udp
N/A 8.8.8.8:53 setup-cfly.rbxcdn.com udp
N/A 8.8.8.8:53 setup-hw.rbxcdn.com udp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 23.72.252.169:443 setup-ak.rbxcdn.com tcp
N/A 128.116.125.3:443 www.roblox.com tcp

Files

memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

memory/1764-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

memory/1920-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\PCClientBootstrapper[1].json

MD5 1e0c3075286b70c6b4a505e2c6b2cb91
SHA1 b25782b6b3a1b4008dad1fe14c1a286d07b8cd30
SHA256 a666bb870aa2ed191dc0f77ba90cc41ffb47e3fb6d77b59bc67f22ed21cff19e
SHA512 1990f9b9637ccb147b14183b8d5bd8e66a3f267092293e153d8927b68755c8647462195105167ca4218f9a03c6c5cbcbd302b4187b8155795b0b2dabbefff869

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3471b2da5df9e0baa0b197d6fe6c327f
SHA1 a83218379e972dd60c60f6599a0744127236d5c6
SHA256 4d4c36f4a365683df8c49bd7d358f8a1875fc7b17430bdbd62075d22a96a2e14
SHA512 9bf138801ee8c545dd969507a20c9cbe8b1f6b347912e92596f43a762d390d446ccd11f1a54dce1aa1285457c4110d6421d16f47abb1bacd15be01db2cea7a3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 74c2edce2571e267077a219dab1c41ed
SHA1 5cb519ad92a4f7bfbf90385a131a15007731d695
SHA256 f724864a8197b2e3fcd1cae479abbc9677499847e62d101e22d68aeecfaa56fb
SHA512 8f8a7fc9826dce999e7f816cc57338f5281752ea7bfc9cbd3aafc8c14c97bd95e492dbabec43b037e9fabe0b07d21d4b4c85ea33e5edcb949abc3c69de7e179c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 eb10baa87bfbf8a7e43e78759b0c3f3d
SHA1 17d67dbe24e0cc8b4da3a29eb12aa9bc6505cd3e
SHA256 042c832c04f3b58b7feb4bc53834ac851dd036ff834597d9308b1f1d131df7b1
SHA512 d66403c3b215056b7574a864bee1d208f40be8a501a6e660bd9cc418b03920f99bfdba64736a78600c4df09c2526c3915cd5840fded24e1532044ae05230e386

C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

MD5 9ea5fff66f24f6e5111a5a40c92d7511
SHA1 b2b2411a6f0a53164f48893e348debe84a1188ce
SHA256 89457cdbcae4eccf705103baac0fcf6895c89e65ec1ac79303c87cd7d12005ed
SHA512 f51915a69d22de6d89d91cb5e82ed9b784d28bbd1ead2b7ca83934bd4cdf9d80929d54210540746b32c992b2cf207daa303bd147ec6fa15f93cde494a08ee17b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 51d378008c3b2a726f77aec5f36649d3
SHA1 f995bf4c7417d280c2a69286bd8fe364da7a9ef6
SHA256 37bab0c3038a18bb228537262b749053310ebb406fc55b83e6c3e4b862a80a99
SHA512 b14bf386e4a0eb9d3472527ee6b9408fc295ea5d220eac8767ed331b6b2f146376cace80f5a9d0ef69e073e380d17ed72a55dbf87d6b1e9eaa697d50f528304e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 e8d7041e88178441a85426178f11d610
SHA1 d25892a62dd2d9130538c41227658a12b6b3deff
SHA256 67552026b6c52acfdd21dbf046bb96aefbd62ba16c38ca4dbb0ab6aa508ee024
SHA512 d612f62fe3224ff163552913a87206d70826fc5d103a021aa037ab82753c679af26b9470ba54ccf57cf3f1df99f5546e02197bd641b3367bfd2db3056f3de4e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 70adeb4c5eeda6de4011c1cb80d5b08c
SHA1 71db96a3928c314daa62852c6c2b01e69cfbf0d7
SHA256 94a5403d0c01981f2181ee3109945806df4dc2c15c29fe4aac5739b0e9966f5e
SHA512 01eae96663687ff7f5c00e549b15fa02b724e654314aabcb1e515265e1c9413b3f7fed2e21a88571431b564d6aff6f18b1b6b67230b843ff9144f434653667c5

\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 601a6cea26d8b2487cb0b0d4ae2fc070
SHA1 9cfe25b60ffcaaf2af0e967af09ef9b7bfd9e93d
SHA256 9e0e0fe8cf8fcdfbc7461f564cf4555045ff7c5c36dc2c6d9afac0858dba4d2e
SHA512 965d7e1f6c4e763b6258953b4121cf7dd958664a3c75fd359ca1a840be7fe669e7c252f660a649b7c4444174aa8c51e5bb98d682e9aaa49d90a3950ffe1be3a2

\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

MD5 82de1bb3ad69240485c0f89e53dffd5d
SHA1 faa8e97a9f6a0f1213843b5753a6a57911b61d96
SHA256 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede
SHA512 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4

\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

MD5 82de1bb3ad69240485c0f89e53dffd5d
SHA1 faa8e97a9f6a0f1213843b5753a6a57911b61d96
SHA256 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede
SHA512 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4

\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

MD5 82de1bb3ad69240485c0f89e53dffd5d
SHA1 faa8e97a9f6a0f1213843b5753a6a57911b61d96
SHA256 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede
SHA512 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerBeta.exe

MD5 f8fe2f851181d04a01d05a5da5ba9f23
SHA1 d6cbf7699c89ee753bdf0c864c5264d79d547707
SHA256 2985d6103d43f6c13f41dcf72b4ab2dd1d0cb1cfb8f2e66e75c766ca86372cda
SHA512 9790090ddbecb37c61d198aebcb918f2fd543f8b6d2137dea9f087feefaa642898c62aeb83346bb9d66e6ac0442d2c50af885f5fd5745c2bbb95fd9c2006b3ac

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerBeta.exe

MD5 f8fe2f851181d04a01d05a5da5ba9f23
SHA1 d6cbf7699c89ee753bdf0c864c5264d79d547707
SHA256 2985d6103d43f6c13f41dcf72b4ab2dd1d0cb1cfb8f2e66e75c766ca86372cda
SHA512 9790090ddbecb37c61d198aebcb918f2fd543f8b6d2137dea9f087feefaa642898c62aeb83346bb9d66e6ac0442d2c50af885f5fd5745c2bbb95fd9c2006b3ac

Analysis: behavioral16

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win10v2004-20221111-en

Max time kernel

151s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioToolbox\AssetPreview\Rejected.png C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\PlatformContent\pc\textures\diamondplate\normal.dds C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Collections\Collections\Array\from\fromArray.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\PrettyFormat-edcba0e9-2.4.1\RobloxShared.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactIs-a406e214-4230f473\Shared.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-9c8468d8-8a7220fd\Cryo.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\Requests\FetchChatSettings.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SystemInfoProtocol\Dev\JestGlobals.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\Commands\getPlayersFromString.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\RoduxFriends\Models\Recommendation.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Dialog\Modal\ModalWindow.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\AppTempCommon\LuaApp\Thunks\ApiFetchUsersPresences.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\mock\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Button\Validator\validateActionBarContentProps.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Loading\Enum\ReloadingStyle.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SquadWidget\SquadWidget\FloatingActionButton\Common\Enums\SquadState.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\Debugger\Breakpoints\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\BackBehavior.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\SelectionImage\Components\RoundedRectNoInset.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SquadWidget\SquadWidget\FloatingActionButton\Components\FabContainer\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\LuauRegExp.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactIsProxy\Roact17UpgradeFlag.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\PYMKCarousel\SocialLuaAnalytics.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\AvatarEditorImages\Sliders\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestCore\JestCore\getNoTestsFoundMessage.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestRunner\Promise.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Loading\ShimmerPanel.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Controls\xboxRT.png C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\TopBar\HealthBarBase.png C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\ExperienceChat\ChatInput\UI\ChatInputBar\ChatInputBar.story.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-3.2.1\JestUtil\setGlobal.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\Boolean\.robloxrc C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\String\.robloxrc C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\roblox_networking-presence\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactUtils\React.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioSharedUI\radio_selected_disabled_dot.png C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Dialog\Toast\InteractiveToast.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\HttpServiceMock\HttpServiceMock\HttpRequestWrapper.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\UnitTestHelpers.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ManageCollaborators\closeWidget_light.png C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestCore\JestCore\getProjectNamesMissingWarning.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\NetworkingContacts-96003ad7-1.7.0\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Dialog\TooltipV2\TooltipController.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UrlBuilder\UrlBuilder\UrlBase.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\JestConfigs\JestGlobals.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\ImageSet\AE\img_set_3x_3.png C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\jsutils\.robloxrc C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\subscription\__tests__\subscription-stub.roblox.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Core\Slider\GenericSlider.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\graphic\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\core\ApolloClient.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\llama.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\jsutils\__tests__\suggestionList.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\util\.robloxrc C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\UGCValidationImpl\util\isLayeredClothing.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Controls\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\TopBar\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Thumbnailing\Thumbnailing\LightUtility.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Flags\getFFlagUpdateUploadContacts.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ShareLinkInvalidModal\ShareLinkInvalidModal\ShareLinkInvalidModalContainer.test.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\requireAllModules.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\DeveloperFramework\checkbox_unchecked_hover_dark.png C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\ExperienceChat\BubbleChat\BillboardGui\BillboardGui.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A6679B4-BBD3-4089-B71E-4AB0DB7A9F09}\AppName = "RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A6679B4-BBD3-4089-B71E-4AB0DB7A9F09}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C24AD434-3A91-4268-9FA6-D9F238C52388}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A6679B4-BBD3-4089-B71E-4AB0DB7A9F09} C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A6679B4-BBD3-4089-B71E-4AB0DB7A9F09}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C24AD434-3A91-4268-9FA6-D9F238C52388}\AppName = "RobloxPlayerBeta.exe" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C24AD434-3A91-4268-9FA6-D9F238C52388}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C24AD434-3A91-4268-9FA6-D9F238C52388} C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp

"C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp"

C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp

C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7ac,0x7a8,0x7a0,0x6e8,0x7b0,0xbf332c,0xbf333c,0xbf334c

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 clientsettings.api.roblox.com udp
N/A 128.116.125.3:80 clientsettings.api.roblox.com tcp
N/A 8.8.8.8:53 ephemeralcounters.api.roblox.com udp
N/A 128.116.125.3:80 ephemeralcounters.api.roblox.com tcp
N/A 8.8.8.8:53 versioncompatibility.api.roblox.com udp
N/A 128.116.125.3:80 versioncompatibility.api.roblox.com tcp
N/A 8.8.8.8:53 setup.roblox.com udp
N/A 52.216.206.109:80 setup.roblox.com tcp
N/A 8.8.8.8:53 www.roblox.com udp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 8.8.8.8:53 setup.rbxcdn.com udp
N/A 23.72.252.138:80 setup.rbxcdn.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 8.8.8.8:53 clientsettingscdn.roblox.com udp
N/A 23.0.250.209:443 clientsettingscdn.roblox.com tcp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 23.0.250.209:443 clientsettingscdn.roblox.com tcp
N/A 8.8.8.8:53 setup.rbxcdn.qq.com udp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 8.8.8.8:53 clientsettingscdn.roblox.qq.com udp
N/A 8.8.8.8:53 setup.rbxcdn.com udp
N/A 8.8.8.8:53 clientsettingscdn.roblox.com udp
N/A 8.8.8.8:53 setup-ak.rbxcdn.com udp
N/A 8.8.8.8:53 setup-ll.rbxcdn.com udp
N/A 8.8.8.8:53 setup-cfly.rbxcdn.com udp
N/A 8.8.8.8:53 setup-hw.rbxcdn.com udp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 23.72.252.138:443 setup-ak.rbxcdn.com tcp
N/A 204.79.197.200:443 tcp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 93.184.220.29:80 tcp
N/A 40.79.189.59:443 tcp

Files

memory/832-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

memory/2668-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\PCClientBootstrapper[1].json

MD5 1e0c3075286b70c6b4a505e2c6b2cb91
SHA1 b25782b6b3a1b4008dad1fe14c1a286d07b8cd30
SHA256 a666bb870aa2ed191dc0f77ba90cc41ffb47e3fb6d77b59bc67f22ed21cff19e
SHA512 1990f9b9637ccb147b14183b8d5bd8e66a3f267092293e153d8927b68755c8647462195105167ca4218f9a03c6c5cbcbd302b4187b8155795b0b2dabbefff869

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 74c2edce2571e267077a219dab1c41ed
SHA1 5cb519ad92a4f7bfbf90385a131a15007731d695
SHA256 f724864a8197b2e3fcd1cae479abbc9677499847e62d101e22d68aeecfaa56fb
SHA512 8f8a7fc9826dce999e7f816cc57338f5281752ea7bfc9cbd3aafc8c14c97bd95e492dbabec43b037e9fabe0b07d21d4b4c85ea33e5edcb949abc3c69de7e179c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 bbbf42352091f77305773e72ec90e286
SHA1 fac5ce820c8103848638cfb32bc1ca0a65ebf09a
SHA256 33ec1d89acea22730129000735b333462cfc17fa361433a40b4661cbc0f0da5a
SHA512 29d5a9239edcf2a6f9df3bc3741f74ce3e4b27763fce446c55febf777c8ce319e95e059ec2315ddc1abe9c261256f403925a7efd9b2a8eb355c616f90dde8a36

C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

MD5 56e797abf6e52814f894eae25b574475
SHA1 fc02f5c354f0e808b080ee22b77aa0cf3a2029e0
SHA256 d4c37069a160e11196344acbfabfdb46799ceffe490153fcfca6516239ec85fd
SHA512 3ef074a4007b2ebc2c67ac198365f040541b61838a78d48204203555c8d487d22f351def75836052cb0fdef5a2ea6f852b7e547ff1de121c371ac7c303c2f1ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 4369a0fa4b0200d80c6979bf9789f8be
SHA1 edc14020135c3043488a71022bb92c93a3582079
SHA256 db8b9f945d509afcfeec35ba49ee23bdb585305f9341a9d0db3612f9f9a7499e
SHA512 4ed8fe02229ac5941b7a571c96a2dbe7a550f5f1a383906c4060ed01449ea5f10c43466cbc842fe88a8cf4207aad6a829f5122f8f1b033344babfa362fc3d7f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 e8d7041e88178441a85426178f11d610
SHA1 d25892a62dd2d9130538c41227658a12b6b3deff
SHA256 67552026b6c52acfdd21dbf046bb96aefbd62ba16c38ca4dbb0ab6aa508ee024
SHA512 d612f62fe3224ff163552913a87206d70826fc5d103a021aa037ab82753c679af26b9470ba54ccf57cf3f1df99f5546e02197bd641b3367bfd2db3056f3de4e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 70adeb4c5eeda6de4011c1cb80d5b08c
SHA1 71db96a3928c314daa62852c6c2b01e69cfbf0d7
SHA256 94a5403d0c01981f2181ee3109945806df4dc2c15c29fe4aac5739b0e9966f5e
SHA512 01eae96663687ff7f5c00e549b15fa02b724e654314aabcb1e515265e1c9413b3f7fed2e21a88571431b564d6aff6f18b1b6b67230b843ff9144f434653667c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 df5b1d4cab0033bd43fc852bd8c99fec
SHA1 775549499da65393a5f0b0b113e21814193ce972
SHA256 011ede25a5b730c8f9838b5d437abbb298f51198722e65ca2fe19cb8c5fa9269
SHA512 7a0db957b157a782deaca373e2482ba65b9c4fec4fb6d38a219a585e6cfa4fa18973189a7d22935d604f2a9578e7f94237e0a9c08addba03b7bc6def5a497d62

Analysis: behavioral19

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20221111-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe

"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1176 -s 1100

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 discord.com udp
N/A 162.159.128.233:443 discord.com tcp

Files

memory/1176-54-0x0000000000190000-0x00000000001A0000-memory.dmp

memory/672-55-0x0000000000000000-mapping.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20221111-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-01-24 01:22

Reported

2023-01-24 01:24

Platform

win7-20220812-en

Max time kernel

139s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\UrlBuilder.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\9-slice\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\filter.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\ExperienceChat\UIBloxConfig.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\PluginManagement\back.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Emotes\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\__tests__\valueFromASTUntyped.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestRunner\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\PurchasePromptDeps\RoactRodux.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\views\SwitchView\SwitchView.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\configs\DateTimeLocaleConfigs\de-de.json C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\GameSettings\CheckedBoxDark.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\AddFriends\dependencies.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\NetworkingVirtualEvents\NetworkingVirtualEvents\config.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\GetFFlagHideMorePageContentWithNoWebViewForVR.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RobloxRequests\RobloxRequests\lib\scopy.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\Analytics\FireEvent\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\reduce.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\rodux-networking-6492c3b7-082e44c0\rodux-networking\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\installReducer\init.test.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\graphic\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\icons\ic-more-about.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\particles\forcefield_glow_color.dds C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\AppTempCommon\Temp\EventStream.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\UrlBuilder.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-3.2.1\JestUtil\isInteractive.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Scheduler-9c8468d8-8a7220fd\Shared.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\TestHelpers\addFriendsCarouselRecommendationIdsToState.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\AddFriends\ContactImporterWarningTooltip\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\ShowMoreWrapper\helpers\friendsPerLoadGroup.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\DevConsole\Error.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VR\VRPointerDiscBlue.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\graphic\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\avatar\compositing\R15CompositRightArmBase.mesh C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Settings\Help\GenericController.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioToolbox\AssetConfig\pending.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactRobloxProxy\ReactRoblox_rc18.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\lock.toml C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\QRCodeTestSuite.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\ArgCheck.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RhodiumHelpers\RhodiumHelpers\findFirstElement.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\AnimationEditor\eventMarker_inner.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\DeveloperFramework\button_arrow_right.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialRoactChat\SocialRoactChat\Models\MockConversation.spec.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\FireEvent\fireEventStream.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\avatar\scripts\humanoidAnimateR15Moods.rbxm C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsShared-9c8468d8-8a7220fd\ReactDevtoolsShared\clipboardjs.mock.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\Flags\GetFFlagControlBubbleUpdates.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-ingame-14x14.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VoiceChat\MicLight\[email protected] C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\Otter.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\2D-Collision-Matchers\2D-Collision-Matchers\alignedHorizontally.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\collectArray.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Thunks\AddFriends\init.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\Dev\TestUtils.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\Enums\Pages.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioToolbox\alert-icon-small.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Controls\dpadDown.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Shared-9c8468d8-8a7220fd\Shared\isValidElementType.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Utils\useFetchContactImporterInfoOnce.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioToolbox\placeholder_video.png C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
File created C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-2.4.1\JestUtil\installCommonGlobals.lua C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{05EBDE32-685F-4084-97CE-B3E3BEFD14DD}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B987CAE-F32C-4C50-AC74-34112132B318}\AppName = "RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B987CAE-F32C-4C50-AC74-34112132B318}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{05EBDE32-685F-4084-97CE-B3E3BEFD14DD}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{05EBDE32-685F-4084-97CE-B3E3BEFD14DD} C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{05EBDE32-685F-4084-97CE-B3E3BEFD14DD}\AppName = "RobloxPlayerBeta.exe" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B987CAE-F32C-4C50-AC74-34112132B318} C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B987CAE-F32C-4C50-AC74-34112132B318}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\shell C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 780 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 780 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 780 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 780 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 780 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 780 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
PID 520 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

"C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp"

C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5e4,0x5e8,0x5ec,0x5c0,0x5f4,0x14d332c,0x14d333c,0x14d334c

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 clientsettings.api.roblox.com udp
N/A 128.116.125.3:80 clientsettings.api.roblox.com tcp
N/A 8.8.8.8:53 ephemeralcounters.api.roblox.com udp
N/A 128.116.125.3:80 ephemeralcounters.api.roblox.com tcp
N/A 8.8.8.8:53 versioncompatibility.api.roblox.com udp
N/A 128.116.125.3:80 versioncompatibility.api.roblox.com tcp
N/A 8.8.8.8:53 setup.roblox.com udp
N/A 52.216.81.59:80 setup.roblox.com tcp
N/A 8.8.8.8:53 www.roblox.com udp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 8.8.8.8:53 setup.rbxcdn.com udp
N/A 23.72.252.138:80 setup.rbxcdn.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 8.8.8.8:53 clientsettingscdn.roblox.com udp
N/A 23.0.250.209:443 clientsettingscdn.roblox.com tcp
N/A 128.116.125.3:80 www.roblox.com tcp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 23.0.250.209:443 clientsettingscdn.roblox.com tcp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 8.8.8.8:53 setup.rbxcdn.qq.com udp
N/A 8.8.8.8:53 clientsettingscdn.roblox.qq.com udp
N/A 8.8.8.8:53 setup.rbxcdn.com udp
N/A 8.8.8.8:53 clientsettingscdn.roblox.com udp
N/A 8.8.8.8:53 setup-ak.rbxcdn.com udp
N/A 8.8.8.8:53 setup-ll.rbxcdn.com udp
N/A 8.8.8.8:53 setup-cfly.rbxcdn.com udp
N/A 8.8.8.8:53 setup-hw.rbxcdn.com udp
N/A 128.116.125.3:443 www.roblox.com tcp
N/A 23.72.252.138:443 setup-ak.rbxcdn.com tcp
N/A 128.116.125.3:443 www.roblox.com tcp

Files

memory/780-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

memory/520-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

memory/776-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\PCClientBootstrapper[1].json

MD5 1e0c3075286b70c6b4a505e2c6b2cb91
SHA1 b25782b6b3a1b4008dad1fe14c1a286d07b8cd30
SHA256 a666bb870aa2ed191dc0f77ba90cc41ffb47e3fb6d77b59bc67f22ed21cff19e
SHA512 1990f9b9637ccb147b14183b8d5bd8e66a3f267092293e153d8927b68755c8647462195105167ca4218f9a03c6c5cbcbd302b4187b8155795b0b2dabbefff869

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 74c2edce2571e267077a219dab1c41ed
SHA1 5cb519ad92a4f7bfbf90385a131a15007731d695
SHA256 f724864a8197b2e3fcd1cae479abbc9677499847e62d101e22d68aeecfaa56fb
SHA512 8f8a7fc9826dce999e7f816cc57338f5281752ea7bfc9cbd3aafc8c14c97bd95e492dbabec43b037e9fabe0b07d21d4b4c85ea33e5edcb949abc3c69de7e179c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 3db8da1312b65a6225422bda9e9ea37a
SHA1 dbc92e98f7c3b5d245d430c986936e37b636b89d
SHA256 4b0716af6110f4e4dfa6319f5a6a2522926c2dbf50889d7883e423b6fdae5583
SHA512 e1c8aff31e750acaa37c4388a32642ed077b465a5d8a81b0517b4e352ff3af2e55c7159f966522572a0c8df4f1774c23857f335dc37afeceaf5ad6ec4989c015

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2278de4b5c754c22d41040369f3a9b6a
SHA1 c7d317ebe8cac880e8d790525627a4b6c0b48764
SHA256 a266178de92924b0513946a9856e55f333cca24bfa1fb1362c141eca0ef816ca
SHA512 83469d9cfd22ba64d8dc517d9e89288e6e885e59efd1e216c3a0fddbc9fd5bccb5f1e4931bdfe00df8d0881322718fd794d1163fff0e46ab9a33b7623da2e105

C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

MD5 79d6a76432f053750d2d3ff79cf57d32
SHA1 b2a4d35c07efbb5fb9196dd37287db21e5d3befe
SHA256 5ce7f880a3ee80a59a33e5d1541560b3f636d164e92d9aff87c30793398830ba
SHA512 2fa4f54d31c7bce63a7ddd5b0909f664bf19dcfddacb1b5c3563dc6f99f6c4fb30e78a0951430120c4458a72f418b7367c4f0aec02b0cc133a45bded10e47d0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f02c5c9ac5cd3083b93e617752d69873
SHA1 eef3d281d7aeaebb5e2925d6e2b3fd74c9b77cc8
SHA256 08de51c17eda94896381387c58661c98bcce5736ff59e87dec631afb63474383
SHA512 e3bd93c4c7cceaee87ca33e0eb51708390610b1c5f2e8902466daf176da3a13247a95e40c7b9f0277f9e7157faedb02e8854067dbbef1f4809aa80784af655c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 6c6fb46b7a72aa2339059a4c9bd653b3
SHA1 fb9e988e1007c6a157facf57c8730cfdea601e53
SHA256 908c20cb38429cbafd88d18ecf77fbb3e3cbf82d4e6f05976df0f1dda6b9420e
SHA512 89d2a18f5ae4af1de5135a4c01985b0eb73242d03a26800743fa96ee869aab492b573bdae760b7a71ce0c3e077540e5b7db143eee01f4a7c9cc8ac8613805b73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 5a761d915ae7389ec5c5ff6d03987fff
SHA1 cfe1228d4b2aca41bc0b81726ed71ec6881aa28e
SHA256 9921cd1d0b329bfc7a06b2d0ab694ecdb431633c73c8e7e69446df7e5ff2c593
SHA512 33aa1c854ba62f37b0a3db10853507eb15a2f604d2a72e7f24eadc81df1629af15123546a84d28499a22233457bde78b2619f160e6701c03986b1970673b9757

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 70adeb4c5eeda6de4011c1cb80d5b08c
SHA1 71db96a3928c314daa62852c6c2b01e69cfbf0d7
SHA256 94a5403d0c01981f2181ee3109945806df4dc2c15c29fe4aac5739b0e9966f5e
SHA512 01eae96663687ff7f5c00e549b15fa02b724e654314aabcb1e515265e1c9413b3f7fed2e21a88571431b564d6aff6f18b1b6b67230b843ff9144f434653667c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 0bc465fcfa82fffae012d34784eba355
SHA1 4270fc31d992abd25f6e98babf844a84d6c28014
SHA256 2976fbde1e39e52a32b6981b042d6849b696630b1da0c5edd48932b6e6476496
SHA512 6b983a96e643f36762c96dee0c1bfef1ef8185331d90f7e83f1e0c939ec4d3175620c1a455206d909c3e64a9d9faad670bf77657d54bf76297da3b60e52c9405

\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

MD5 82de1bb3ad69240485c0f89e53dffd5d
SHA1 faa8e97a9f6a0f1213843b5753a6a57911b61d96
SHA256 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede
SHA512 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4

\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

MD5 82de1bb3ad69240485c0f89e53dffd5d
SHA1 faa8e97a9f6a0f1213843b5753a6a57911b61d96
SHA256 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede
SHA512 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe

MD5 c9c37cc5d113277b3851bda9945361f3
SHA1 90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

MD5 82de1bb3ad69240485c0f89e53dffd5d
SHA1 faa8e97a9f6a0f1213843b5753a6a57911b61d96
SHA256 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede
SHA512 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerBeta.exe

MD5 f8fe2f851181d04a01d05a5da5ba9f23
SHA1 d6cbf7699c89ee753bdf0c864c5264d79d547707
SHA256 2985d6103d43f6c13f41dcf72b4ab2dd1d0cb1cfb8f2e66e75c766ca86372cda
SHA512 9790090ddbecb37c61d198aebcb918f2fd543f8b6d2137dea9f087feefaa642898c62aeb83346bb9d66e6ac0442d2c50af885f5fd5745c2bbb95fd9c2006b3ac

\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerBeta.exe

MD5 f8fe2f851181d04a01d05a5da5ba9f23
SHA1 d6cbf7699c89ee753bdf0c864c5264d79d547707
SHA256 2985d6103d43f6c13f41dcf72b4ab2dd1d0cb1cfb8f2e66e75c766ca86372cda
SHA512 9790090ddbecb37c61d198aebcb918f2fd543f8b6d2137dea9f087feefaa642898c62aeb83346bb9d66e6ac0442d2c50af885f5fd5745c2bbb95fd9c2006b3ac