Analysis Overview
SHA256
a1d03a6d7eb39e9bb6aca13b8d9b3da918f04998b4333070374a48257b683455
Threat Level: Known bad
The file SirCookie.zip was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
Mercurialgrabber family
Looks for VirtualBox Guest Additions in registry
Executes dropped EXE
Looks for VMWare Tools registry key
Downloads MZ/PE file
Checks computer location settings
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-24 01:22
Signatures
Mercurialgrabber family
Analysis: behavioral12
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20220812-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Bunifu_UI_v1.5.3.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.253.225.254:80 | tcp | |
| N/A | 8.253.225.254:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20221111-en
Max time kernel
30s
Max time network
103s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 88.221.25.153:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20221111-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\BetterSocks.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20221111-en
Max time kernel
105s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\BetterSocks.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 20.190.160.17:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 40.79.150.121:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20220901-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\MenuBar\icon_safety_off.png | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-9c8468d8-8a7220fd\ReactReconciler\ReactFiberLazyComponent.new.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\ModalBottomSheet\__stories__\Option9.story.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\Analytics.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\avatar\scripts\humanoidAnimatePlayEmote.rbxm | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\sky\cloudDetail3D.dds | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\Debugger\Step-Over.png | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\GraphQLServer\graphql\resolvers\ScalarResolver.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\Common\findFirstImageInMedia.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-24c5c11f-f6df649b\RoduxFriends\Reducers\Friends\utils\removeUser.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SquadWidget\SquadWidget\SquadLobby\Components\SquadLobbyActionBar\SquadLobbyActionBar.story.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-2.4.1\RobloxShared\RobloxApiDump.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxUsers\RoduxUsers\Actions\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphqlHttpArtifacts\GraphqlHttpArtifacts\experience-media-fail\games.roblox.com\get.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\AppTempCommon\Temp\trimCharacterFromEndString.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ViewSelector\front.png | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\models\ViewSelector\ViewSelector.rbxm | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\jest.config.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\ContactsList\Components\ContactsRevokedAccessDialog\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\TestHelpers\validateEvent.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-3.2.1\JestUtil\pluralize.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\roblox_rodux-presence\rodux-presence\Reducer\Presence\byPlaceId.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\PlatformContent\pc\textures\water\normal_22.dds | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\rodux-networking-6492c3b7-082e44c0\rodux-networking\NetworkStatus\setStatus.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SquadWidget\SquadWidget\SquadLobby\Components\SquadInviteTopBar\SquadInviteTopBar.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\DiscoverabilityModal\DiscoverabilityModal\Components\DiscoverabilityOverlay\DiscoverabilityOverlayContainer.test.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\AvatarEditorImages\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\MaterialManager\chevrons-left.png | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\ExperienceChat\ChatInput\ChatInputApp.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.3.4\LuauPolyfill\Symbol\.robloxrc | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\String\Number.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\AppContainer\AppContainer.story.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestEach-edcba0e9-3.2.1\JestEach\table\array.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RecordPlayback\RecordPlayback\ArtifactLoader.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\configs\DateTimeLocaleConfigs\de-de.json | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\PlayerList\NewAvatarBackground.png | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\enumerate.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-0ba25b72-b001fcbe\Rodux.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-492710c6-1e7909bf\RoduxFriends\Selectors\getFriendshipStatusByUserId.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\Requests\GamesMultigetPlaceDetails.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppLocales\RobloxAppLocales\Locales\ko-kr.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\UniversalAppPolicy\SharedFlags.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TestUtils\ReactRoblox.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\AvatarEditorImages\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\InspectMenu\Button_outline.png | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\class.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoactGamepad\RoactGamepad\Test\MockEngine.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\RoduxFriends\Actions\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\Components\CarouselUserContextualInfo\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\InspectMenu\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\getOtherDisplayNameInWhisperChannel.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\Locale\Locales\it-it.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\React-a406e214-4230f473\Shared.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-24c5c11f-f6df649b\RoduxNetworking.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\RoactPaginator\loadNextSymbol.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\DiscoverabilityModal\DiscoverabilityModal\Common\Constants.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\fonts\IndieFlower-Regular.ttf | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\MaterialManager\Gradient_Hover_DT.png | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\Utility\getModalShownEventData.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\NetworkingPresence-1b011daa-31f6545b\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{755DBA41-F5E3-4F22-822E-1BA1E22979A1}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{755DBA41-F5E3-4F22-822E-1BA1E22979A1} | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{755DBA41-F5E3-4F22-822E-1BA1E22979A1}\AppName = "RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84025983-9531-43E4-AE79-FABDCDC2FDFD}\AppName = "RobloxPlayerBeta.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84025983-9531-43E4-AE79-FABDCDC2FDFD}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84025983-9531-43E4-AE79-FABDCDC2FDFD}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{84025983-9531-43E4-AE79-FABDCDC2FDFD} | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{755DBA41-F5E3-4F22-822E-1BA1E22979A1}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\shell | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\roblox-player\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4396 wrote to memory of 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp |
| PID 4396 wrote to memory of 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp |
| PID 4396 wrote to memory of 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp |
| PID 3304 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp |
| PID 3304 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp |
| PID 3304 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp | C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp
"C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp"
C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp
C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x6b0,0x630,0x7cc,0x7c0,0x7b8,0xa4332c,0xa4333c,0xa4334c
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | clientsettings.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | clientsettings.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | ephemeralcounters.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | ephemeralcounters.api.roblox.com | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | versioncompatibility.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | versioncompatibility.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.roblox.com | udp |
| N/A | 52.216.206.109:80 | setup.roblox.com | tcp |
| N/A | 8.8.8.8:53 | www.roblox.com | udp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| N/A | 23.72.252.169:80 | setup.rbxcdn.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| N/A | 23.0.250.209:443 | clientsettingscdn.roblox.com | tcp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.qq.com | udp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.qq.com | udp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| N/A | 8.8.8.8:53 | setup-ak.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-ll.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-cfly.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-hw.rbxcdn.com | udp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 23.72.252.169:443 | setup-ak.rbxcdn.com | tcp |
| N/A | 13.107.21.200:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 2.18.109.224:443 | tcp |
Files
memory/3304-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
memory/4380-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBX-A9740A86.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
| MD5 | b9704cc0069123c431aedbc1f2f3772a |
| SHA1 | af349c82475bec5c8dfa4437ce5d1c7a05bda7e3 |
| SHA256 | 583fd6145c1cf3c48e56c62bbf5ff78e2142dd7203a6a720efcd8de54cf7b175 |
| SHA512 | 57d65b8b1402f3247903ea99e8897177c1333be1fb6db57b76137d616f8caa13aa86bfdf53acc2f4641de64589445e5fad4e49d64cfaa45a38afad9f2c2cbf3d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZX6MAMIN\PCClientBootstrapper[1].json
| MD5 | 1e0c3075286b70c6b4a505e2c6b2cb91 |
| SHA1 | b25782b6b3a1b4008dad1fe14c1a286d07b8cd30 |
| SHA256 | a666bb870aa2ed191dc0f77ba90cc41ffb47e3fb6d77b59bc67f22ed21cff19e |
| SHA512 | 1990f9b9637ccb147b14183b8d5bd8e66a3f267092293e153d8927b68755c8647462195105167ca4218f9a03c6c5cbcbd302b4187b8155795b0b2dabbefff869 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 6c6fb46b7a72aa2339059a4c9bd653b3 |
| SHA1 | fb9e988e1007c6a157facf57c8730cfdea601e53 |
| SHA256 | 908c20cb38429cbafd88d18ecf77fbb3e3cbf82d4e6f05976df0f1dda6b9420e |
| SHA512 | 89d2a18f5ae4af1de5135a4c01985b0eb73242d03a26800743fa96ee869aab492b573bdae760b7a71ce0c3e077540e5b7db143eee01f4a7c9cc8ac8613805b73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | c4f91291b2b9f8ddd3c5b747107edd1d |
| SHA1 | de55f5132dcc0b437bd41cd091b0a2c6ab581747 |
| SHA256 | e82b9ff71f2037cc46ec5f3b57b87ef2acfebadad6bf4b01ddc5b3a200918072 |
| SHA512 | 2bfe5bf90bc78613afc28b113d3c5342e39811edcb2e1451fec3326226483ad2f461178bcdd90af75607be262ce2bb786c1f6e96e64deb51d7eccc112cfd7c5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 70adeb4c5eeda6de4011c1cb80d5b08c |
| SHA1 | 71db96a3928c314daa62852c6c2b01e69cfbf0d7 |
| SHA256 | 94a5403d0c01981f2181ee3109945806df4dc2c15c29fe4aac5739b0e9966f5e |
| SHA512 | 01eae96663687ff7f5c00e549b15fa02b724e654314aabcb1e515265e1c9413b3f7fed2e21a88571431b564d6aff6f18b1b6b67230b843ff9144f434653667c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 3b7680ee1d0f2fd935753a23c39800cb |
| SHA1 | 2716d2ffa5f3a3daa7d66f7aae4f40f9e9f84910 |
| SHA256 | 8b7533ea6ecb3078e28c233b69dcff9ebc6779a533ac6b175ecbaecea6b738e5 |
| SHA512 | 8756c6b7241f5166c6b2f50b7a0b483ca6c16229ebc1e3c1c15c5ee71fa1433b38c111e389c2bf4fd481115faf2b59bdd0d34b60afb6a14d662b05b40cc7c0a9 |
Analysis: behavioral14
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20221111-en
Max time kernel
91s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 20.44.10.123:443 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20220812-en
Max time kernel
89s
Max time network
152s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe
"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1268 -ip 1268
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1268 -s 1708
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 52.168.117.170:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/1268-132-0x0000000000D90000-0x0000000000DA0000-memory.dmp
memory/1268-133-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp
memory/1268-134-0x00007FFE1C5A0000-0x00007FFE1D061000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20221111-en
Max time kernel
91s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Bunifu_UI_v1.5.3.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 20.189.173.11:443 | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20220812-en
Max time kernel
90s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\BetterSocks.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 95.101.78.82:80 | tcp | |
| N/A | 95.101.78.82:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 51.11.192.48:443 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20221111-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\Bunifu_UI_v1.5.3.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20220812-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | C:\Windows\system32\WerFault.exe |
| PID 1808 wrote to memory of 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | C:\Windows\system32\WerFault.exe |
| PID 1808 wrote to memory of 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe
"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\SirTrust.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1808 -s 1100
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.136.232:443 | discord.com | tcp |
Files
memory/1808-54-0x00000000010E0000-0x00000000010F0000-memory.dmp
memory/1400-55-0x0000000000000000-mapping.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20221111-en
Max time kernel
112s
Max time network
128s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe
"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4704 -ip 4704
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4704 -s 1712
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.135.232:443 | discord.com | tcp |
| N/A | 20.42.73.24:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.247.211.254:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/4704-132-0x0000000000300000-0x0000000000310000-memory.dmp
memory/4704-133-0x00007FF8E22B0000-0x00007FF8E2D71000-memory.dmp
memory/4704-134-0x00007FF8E22B0000-0x00007FF8E2D71000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20221111-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Bunifu_UI_v1.5.3.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20220812-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 20.42.65.89:443 | tcp | |
| N/A | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20220812-en
Max time kernel
38s
Max time network
42s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\BetterSocks.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20220901-en
Max time kernel
135s
Max time network
120s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\VirtualizedList\VirtualizedList\Lists\BidirectionalFlatList.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\VirtualizedList\VirtualizedList\Lists\FillRateHelper.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Fetch\Dev\JestGlobals.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\getFFlagAutoSyncForContactImporterDisabled.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Emotes\TenFoot\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\typeComparators.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\PurchaseFlow\RobuxUpsell\RobuxUpsellFlow.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\installReducer\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VoiceChat\Misc\UnmuteAll.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphqlTag\GraphqlTag\__tests__\tests.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\ContactsList\Components\ContactsListLoadingView\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\NetworkingUsers\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\Url.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTestHelpers\SocialTestHelpers\TestHelpers\dumpInstanceTree.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\utilities\common\maybeDeepFreeze.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Cryo\Cryo\List\foldRight.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestConfig\JestConfig\readConfigFileAndSetRootDir.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-e5bec545-6ef031c0\Rodux.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Core\Style\Validator\validateThemedBackgroundImageInfo.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Plastic.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VoiceChat\New\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VoiceChat\SpeakerDark\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\dependencies.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\InfiniteScroller\InfiniteScroller\Components\TimeLogger.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FormFactor\FormFactor\FormFactorReducer.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\LuauPolyfill.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\Enums\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\fonts\Nunito-Regular.ttf | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestConsole-edcba0e9-2.4.1\JestConsole\types.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\TestEZJestAdapter\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-492710c6-1e7909bf\RoduxFriends\Selectors\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\__tests__\UnitTestHelpers\mountStyledFrame.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\UniversalAppPolicy.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\LegacyRbxGui\sandside.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\Dev\TagUtils.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\roblox_lumberyak-b6bd621d-e6abd03f\lumberyak\MockLogger.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Grid\DefaultMetricsGridView.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AppSystemBar\AppSystemBar\.robloxrc | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphqlHttpArtifacts\GraphqlHttpArtifacts\virtual-event-integration-success\apis.roblox.com\get-virtual-event.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\__tests__\astFromValue.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\__testUtils__\__tests__\genFuzzStrings.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestMatcherUtils-edcba0e9-2.4.1\JestMatcherUtils\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactFiberLazyComponent.new.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Analytics\Analytics\AnalyticsReporters\GoogleAnalytics.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactServiceTags\RoactServiceTags\AppLogging.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-instudio.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Controls\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\installReducer\shouldFocusChatInputBar.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsExtensionsProxy\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Backpack\Backpack_Down.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\ic-close-gray2.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxNetworking-fe052a05-3.0.2\RoduxNetworking\RequestBuilder\tutils.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Flags\getFStringContactImporterVariantForDev.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Settings\Help\BButtonDark.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuaSocialLibrariesDeps\llama.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactMutableSource.new.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-0ba25b72-b001fcbe\RoduxFriends\Actions\RecommendationDestroyed.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphqlHttpArtifacts\GraphqlHttpArtifacts\virtual-event-rsvps-success\apis.roblox.com\get.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\icons\GameDetails\social\Discord_large.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Emotes\Small\SegmentedCircle.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestRunner\JestEnvironment.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-9c8468d8-8a7220fd\ReactReconciler\ReactCapturedValue.lua | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\btn_newWhite.png | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11B276F2-0559-4679-BAA4-F2A4C9258AC4}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562FB148-8BB4-40C0-A8C6-9D6E3A3BEFC8} | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562FB148-8BB4-40C0-A8C6-9D6E3A3BEFC8}\AppName = "RobloxPlayerBeta.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562FB148-8BB4-40C0-A8C6-9D6E3A3BEFC8}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11B276F2-0559-4679-BAA4-F2A4C9258AC4}\AppName = "RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11B276F2-0559-4679-BAA4-F2A4C9258AC4}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{562FB148-8BB4-40C0-A8C6-9D6E3A3BEFC8}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11B276F2-0559-4679-BAA4-F2A4C9258AC4} | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\roblox-player\shell | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
"C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp"
C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5ec,0x5f0,0x5f4,0x5c8,0x5fc,0x14d332c,0x14d333c,0x14d334c
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | clientsettings.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | clientsettings.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | ephemeralcounters.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | ephemeralcounters.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | versioncompatibility.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | versioncompatibility.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.roblox.com | udp |
| N/A | 54.231.200.168:80 | setup.roblox.com | tcp |
| N/A | 8.8.8.8:53 | www.roblox.com | udp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| N/A | 23.72.252.169:80 | setup.rbxcdn.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 23.0.250.209:443 | clientsettingscdn.roblox.com | tcp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 23.0.250.209:443 | clientsettingscdn.roblox.com | tcp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.qq.com | udp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.qq.com | udp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| N/A | 8.8.8.8:53 | setup-ak.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-ll.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-cfly.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-hw.rbxcdn.com | udp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 23.72.252.169:443 | setup-ak.rbxcdn.com | tcp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
Files
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
memory/1764-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
memory/1920-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\PCClientBootstrapper[1].json
| MD5 | 1e0c3075286b70c6b4a505e2c6b2cb91 |
| SHA1 | b25782b6b3a1b4008dad1fe14c1a286d07b8cd30 |
| SHA256 | a666bb870aa2ed191dc0f77ba90cc41ffb47e3fb6d77b59bc67f22ed21cff19e |
| SHA512 | 1990f9b9637ccb147b14183b8d5bd8e66a3f267092293e153d8927b68755c8647462195105167ca4218f9a03c6c5cbcbd302b4187b8155795b0b2dabbefff869 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3471b2da5df9e0baa0b197d6fe6c327f |
| SHA1 | a83218379e972dd60c60f6599a0744127236d5c6 |
| SHA256 | 4d4c36f4a365683df8c49bd7d358f8a1875fc7b17430bdbd62075d22a96a2e14 |
| SHA512 | 9bf138801ee8c545dd969507a20c9cbe8b1f6b347912e92596f43a762d390d446ccd11f1a54dce1aa1285457c4110d6421d16f47abb1bacd15be01db2cea7a3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 74c2edce2571e267077a219dab1c41ed |
| SHA1 | 5cb519ad92a4f7bfbf90385a131a15007731d695 |
| SHA256 | f724864a8197b2e3fcd1cae479abbc9677499847e62d101e22d68aeecfaa56fb |
| SHA512 | 8f8a7fc9826dce999e7f816cc57338f5281752ea7bfc9cbd3aafc8c14c97bd95e492dbabec43b037e9fabe0b07d21d4b4c85ea33e5edcb949abc3c69de7e179c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | eb10baa87bfbf8a7e43e78759b0c3f3d |
| SHA1 | 17d67dbe24e0cc8b4da3a29eb12aa9bc6505cd3e |
| SHA256 | 042c832c04f3b58b7feb4bc53834ac851dd036ff834597d9308b1f1d131df7b1 |
| SHA512 | d66403c3b215056b7574a864bee1d208f40be8a501a6e660bd9cc418b03920f99bfdba64736a78600c4df09c2526c3915cd5840fded24e1532044ae05230e386 |
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
| MD5 | 9ea5fff66f24f6e5111a5a40c92d7511 |
| SHA1 | b2b2411a6f0a53164f48893e348debe84a1188ce |
| SHA256 | 89457cdbcae4eccf705103baac0fcf6895c89e65ec1ac79303c87cd7d12005ed |
| SHA512 | f51915a69d22de6d89d91cb5e82ed9b784d28bbd1ead2b7ca83934bd4cdf9d80929d54210540746b32c992b2cf207daa303bd147ec6fa15f93cde494a08ee17b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 51d378008c3b2a726f77aec5f36649d3 |
| SHA1 | f995bf4c7417d280c2a69286bd8fe364da7a9ef6 |
| SHA256 | 37bab0c3038a18bb228537262b749053310ebb406fc55b83e6c3e4b862a80a99 |
| SHA512 | b14bf386e4a0eb9d3472527ee6b9408fc295ea5d220eac8767ed331b6b2f146376cace80f5a9d0ef69e073e380d17ed72a55dbf87d6b1e9eaa697d50f528304e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | e8d7041e88178441a85426178f11d610 |
| SHA1 | d25892a62dd2d9130538c41227658a12b6b3deff |
| SHA256 | 67552026b6c52acfdd21dbf046bb96aefbd62ba16c38ca4dbb0ab6aa508ee024 |
| SHA512 | d612f62fe3224ff163552913a87206d70826fc5d103a021aa037ab82753c679af26b9470ba54ccf57cf3f1df99f5546e02197bd641b3367bfd2db3056f3de4e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 70adeb4c5eeda6de4011c1cb80d5b08c |
| SHA1 | 71db96a3928c314daa62852c6c2b01e69cfbf0d7 |
| SHA256 | 94a5403d0c01981f2181ee3109945806df4dc2c15c29fe4aac5739b0e9966f5e |
| SHA512 | 01eae96663687ff7f5c00e549b15fa02b724e654314aabcb1e515265e1c9413b3f7fed2e21a88571431b564d6aff6f18b1b6b67230b843ff9144f434653667c5 |
\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Users\Admin\AppData\Local\Temp\RBX-FA22DCBC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 601a6cea26d8b2487cb0b0d4ae2fc070 |
| SHA1 | 9cfe25b60ffcaaf2af0e967af09ef9b7bfd9e93d |
| SHA256 | 9e0e0fe8cf8fcdfbc7461f564cf4555045ff7c5c36dc2c6d9afac0858dba4d2e |
| SHA512 | 965d7e1f6c4e763b6258953b4121cf7dd958664a3c75fd359ca1a840be7fe669e7c252f660a649b7c4444174aa8c51e5bb98d682e9aaa49d90a3950ffe1be3a2 |
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
| MD5 | 82de1bb3ad69240485c0f89e53dffd5d |
| SHA1 | faa8e97a9f6a0f1213843b5753a6a57911b61d96 |
| SHA256 | 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede |
| SHA512 | 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4 |
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
| MD5 | 82de1bb3ad69240485c0f89e53dffd5d |
| SHA1 | faa8e97a9f6a0f1213843b5753a6a57911b61d96 |
| SHA256 | 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede |
| SHA512 | 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4 |
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
| MD5 | 82de1bb3ad69240485c0f89e53dffd5d |
| SHA1 | faa8e97a9f6a0f1213843b5753a6a57911b61d96 |
| SHA256 | 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede |
| SHA512 | 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4 |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerBeta.exe
| MD5 | f8fe2f851181d04a01d05a5da5ba9f23 |
| SHA1 | d6cbf7699c89ee753bdf0c864c5264d79d547707 |
| SHA256 | 2985d6103d43f6c13f41dcf72b4ab2dd1d0cb1cfb8f2e66e75c766ca86372cda |
| SHA512 | 9790090ddbecb37c61d198aebcb918f2fd543f8b6d2137dea9f087feefaa642898c62aeb83346bb9d66e6ac0442d2c50af885f5fd5745c2bbb95fd9c2006b3ac |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerBeta.exe
| MD5 | f8fe2f851181d04a01d05a5da5ba9f23 |
| SHA1 | d6cbf7699c89ee753bdf0c864c5264d79d547707 |
| SHA256 | 2985d6103d43f6c13f41dcf72b4ab2dd1d0cb1cfb8f2e66e75c766ca86372cda |
| SHA512 | 9790090ddbecb37c61d198aebcb918f2fd543f8b6d2137dea9f087feefaa642898c62aeb83346bb9d66e6ac0442d2c50af885f5fd5745c2bbb95fd9c2006b3ac |
Analysis: behavioral16
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win10v2004-20221111-en
Max time kernel
151s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioToolbox\AssetPreview\Rejected.png | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\PlatformContent\pc\textures\diamondplate\normal.dds | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Collections\Collections\Array\from\fromArray.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\PrettyFormat-edcba0e9-2.4.1\RobloxShared.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactIs-a406e214-4230f473\Shared.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-9c8468d8-8a7220fd\Cryo.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\Requests\FetchChatSettings.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SystemInfoProtocol\Dev\JestGlobals.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\Commands\getPlayersFromString.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\RoduxFriends\Models\Recommendation.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Dialog\Modal\ModalWindow.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\AppTempCommon\LuaApp\Thunks\ApiFetchUsersPresences.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\mock\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Button\Validator\validateActionBarContentProps.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Loading\Enum\ReloadingStyle.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SquadWidget\SquadWidget\FloatingActionButton\Common\Enums\SquadState.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\Debugger\Breakpoints\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\BackBehavior.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\SelectionImage\Components\RoundedRectNoInset.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SquadWidget\SquadWidget\FloatingActionButton\Components\FabContainer\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\LuauRegExp.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactIsProxy\Roact17UpgradeFlag.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\PYMKCarousel\SocialLuaAnalytics.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\AvatarEditorImages\Sliders\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestCore\JestCore\getNoTestsFoundMessage.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestRunner\Promise.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Loading\ShimmerPanel.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Controls\xboxRT.png | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\TopBar\HealthBarBase.png | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\ExperienceChat\ChatInput\UI\ChatInputBar\ChatInputBar.story.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-3.2.1\JestUtil\setGlobal.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\Boolean\.robloxrc | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\String\.robloxrc | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\roblox_networking-presence\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactUtils\React.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioSharedUI\radio_selected_disabled_dot.png | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Dialog\Toast\InteractiveToast.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\HttpServiceMock\HttpServiceMock\HttpRequestWrapper.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\UnitTestHelpers.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ManageCollaborators\closeWidget_light.png | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestCore\JestCore\getProjectNamesMissingWarning.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\NetworkingContacts-96003ad7-1.7.0\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Dialog\TooltipV2\TooltipController.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UrlBuilder\UrlBuilder\UrlBase.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\JestConfigs\JestGlobals.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\ImageSet\AE\img_set_3x_3.png | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\jsutils\.robloxrc | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\subscription\__tests__\subscription-stub.roblox.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Core\Slider\GenericSlider.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\graphic\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\core\ApolloClient.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\llama.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\jsutils\__tests__\suggestionList.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\util\.robloxrc | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\UGCValidationImpl\util\isLayeredClothing.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Controls\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\TopBar\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Thumbnailing\Thumbnailing\LightUtility.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Flags\getFFlagUpdateUploadContacts.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ShareLinkInvalidModal\ShareLinkInvalidModal\ShareLinkInvalidModalContainer.test.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\requireAllModules.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\DeveloperFramework\checkbox_unchecked_hover_dark.png | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\ExperienceChat\BubbleChat\BillboardGui\BillboardGui.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A6679B4-BBD3-4089-B71E-4AB0DB7A9F09}\AppName = "RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A6679B4-BBD3-4089-B71E-4AB0DB7A9F09}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C24AD434-3A91-4268-9FA6-D9F238C52388}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A6679B4-BBD3-4089-B71E-4AB0DB7A9F09} | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3A6679B4-BBD3-4089-B71E-4AB0DB7A9F09}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C24AD434-3A91-4268-9FA6-D9F238C52388}\AppName = "RobloxPlayerBeta.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C24AD434-3A91-4268-9FA6-D9F238C52388}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C24AD434-3A91-4268-9FA6-D9F238C52388} | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\roblox-player\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5000 wrote to memory of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp |
| PID 5000 wrote to memory of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp |
| PID 5000 wrote to memory of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp |
| PID 832 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp |
| PID 832 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp |
| PID 832 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp | C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirCookie\RobloxPlayerLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp
"C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp"
C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp
C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7ac,0x7a8,0x7a0,0x6e8,0x7b0,0xbf332c,0xbf333c,0xbf334c
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | clientsettings.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | clientsettings.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | ephemeralcounters.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | ephemeralcounters.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | versioncompatibility.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | versioncompatibility.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.roblox.com | udp |
| N/A | 52.216.206.109:80 | setup.roblox.com | tcp |
| N/A | 8.8.8.8:53 | www.roblox.com | udp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| N/A | 23.72.252.138:80 | setup.rbxcdn.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| N/A | 23.0.250.209:443 | clientsettingscdn.roblox.com | tcp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 23.0.250.209:443 | clientsettingscdn.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.qq.com | udp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.qq.com | udp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| N/A | 8.8.8.8:53 | setup-ak.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-ll.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-cfly.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-hw.rbxcdn.com | udp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 23.72.252.138:443 | setup-ak.rbxcdn.com | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 40.79.189.59:443 | tcp |
Files
memory/832-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
memory/2668-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBX-5C2CFEA7.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\PCClientBootstrapper[1].json
| MD5 | 1e0c3075286b70c6b4a505e2c6b2cb91 |
| SHA1 | b25782b6b3a1b4008dad1fe14c1a286d07b8cd30 |
| SHA256 | a666bb870aa2ed191dc0f77ba90cc41ffb47e3fb6d77b59bc67f22ed21cff19e |
| SHA512 | 1990f9b9637ccb147b14183b8d5bd8e66a3f267092293e153d8927b68755c8647462195105167ca4218f9a03c6c5cbcbd302b4187b8155795b0b2dabbefff869 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 74c2edce2571e267077a219dab1c41ed |
| SHA1 | 5cb519ad92a4f7bfbf90385a131a15007731d695 |
| SHA256 | f724864a8197b2e3fcd1cae479abbc9677499847e62d101e22d68aeecfaa56fb |
| SHA512 | 8f8a7fc9826dce999e7f816cc57338f5281752ea7bfc9cbd3aafc8c14c97bd95e492dbabec43b037e9fabe0b07d21d4b4c85ea33e5edcb949abc3c69de7e179c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | bbbf42352091f77305773e72ec90e286 |
| SHA1 | fac5ce820c8103848638cfb32bc1ca0a65ebf09a |
| SHA256 | 33ec1d89acea22730129000735b333462cfc17fa361433a40b4661cbc0f0da5a |
| SHA512 | 29d5a9239edcf2a6f9df3bc3741f74ce3e4b27763fce446c55febf777c8ce319e95e059ec2315ddc1abe9c261256f403925a7efd9b2a8eb355c616f90dde8a36 |
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
| MD5 | 56e797abf6e52814f894eae25b574475 |
| SHA1 | fc02f5c354f0e808b080ee22b77aa0cf3a2029e0 |
| SHA256 | d4c37069a160e11196344acbfabfdb46799ceffe490153fcfca6516239ec85fd |
| SHA512 | 3ef074a4007b2ebc2c67ac198365f040541b61838a78d48204203555c8d487d22f351def75836052cb0fdef5a2ea6f852b7e547ff1de121c371ac7c303c2f1ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 4369a0fa4b0200d80c6979bf9789f8be |
| SHA1 | edc14020135c3043488a71022bb92c93a3582079 |
| SHA256 | db8b9f945d509afcfeec35ba49ee23bdb585305f9341a9d0db3612f9f9a7499e |
| SHA512 | 4ed8fe02229ac5941b7a571c96a2dbe7a550f5f1a383906c4060ed01449ea5f10c43466cbc842fe88a8cf4207aad6a829f5122f8f1b033344babfa362fc3d7f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | e8d7041e88178441a85426178f11d610 |
| SHA1 | d25892a62dd2d9130538c41227658a12b6b3deff |
| SHA256 | 67552026b6c52acfdd21dbf046bb96aefbd62ba16c38ca4dbb0ab6aa508ee024 |
| SHA512 | d612f62fe3224ff163552913a87206d70826fc5d103a021aa037ab82753c679af26b9470ba54ccf57cf3f1df99f5546e02197bd641b3367bfd2db3056f3de4e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 70adeb4c5eeda6de4011c1cb80d5b08c |
| SHA1 | 71db96a3928c314daa62852c6c2b01e69cfbf0d7 |
| SHA256 | 94a5403d0c01981f2181ee3109945806df4dc2c15c29fe4aac5739b0e9966f5e |
| SHA512 | 01eae96663687ff7f5c00e549b15fa02b724e654314aabcb1e515265e1c9413b3f7fed2e21a88571431b564d6aff6f18b1b6b67230b843ff9144f434653667c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | df5b1d4cab0033bd43fc852bd8c99fec |
| SHA1 | 775549499da65393a5f0b0b113e21814193ce972 |
| SHA256 | 011ede25a5b730c8f9838b5d437abbb298f51198722e65ca2fe19cb8c5fa9269 |
| SHA512 | 7a0db957b157a782deaca373e2482ba65b9c4fec4fb6d38a219a585e6cfa4fa18973189a7d22935d604f2a9578e7f94237e0a9c08addba03b7bc6def5a497d62 |
Analysis: behavioral19
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20221111-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1176 wrote to memory of 672 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | C:\Windows\system32\WerFault.exe |
| PID 1176 wrote to memory of 672 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | C:\Windows\system32\WerFault.exe |
| PID 1176 wrote to memory of 672 | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe
"C:\Users\Admin\AppData\Local\Temp\SirCookie\SirTrust.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1176 -s 1100
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
Files
memory/1176-54-0x0000000000190000-0x00000000001A0000-memory.dmp
memory/672-55-0x0000000000000000-mapping.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20221111-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SirCookie\Newtonsoft.Json.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-01-24 01:22
Reported
2023-01-24 01:24
Platform
win7-20220812-en
Max time kernel
139s
Max time network
119s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\UrlBuilder.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\9-slice\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\filter.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-31a10f32-ced4713c\ExperienceChat\UIBloxConfig.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\PluginManagement\back.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Emotes\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\__tests__\valueFromASTUntyped.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestRunner\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\PurchasePromptDeps\RoactRodux.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\views\SwitchView\SwitchView.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\configs\DateTimeLocaleConfigs\de-de.json | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\GameSettings\CheckedBoxDark.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\AddFriends\dependencies.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\NetworkingVirtualEvents\NetworkingVirtualEvents\config.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\GetFFlagHideMorePageContentWithNoWebViewForVR.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RobloxRequests\RobloxRequests\lib\scopy.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\Analytics\FireEvent\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\reduce.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\rodux-networking-6492c3b7-082e44c0\rodux-networking\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\installReducer\init.test.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\graphic\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaApp\icons\ic-more-about.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\particles\forcefield_glow_color.dds | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\AppTempCommon\Temp\EventStream.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\UrlBuilder.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-3.2.1\JestUtil\isInteractive.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Scheduler-9c8468d8-8a7220fd\Shared.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\TestHelpers\addFriendsCarouselRecommendationIdsToState.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\AddFriends\ContactImporterWarningTooltip\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\ShowMoreWrapper\helpers\friendsPerLoadGroup.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\DevConsole\Error.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VR\VRPointerDiscBlue.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\graphic\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\avatar\compositing\R15CompositRightArmBase.mesh | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Settings\Help\GenericController.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioToolbox\AssetConfig\pending.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactRobloxProxy\ReactRoblox_rc18.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\lock.toml | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\QRCodeTestSuite.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\ArgCheck.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RhodiumHelpers\RhodiumHelpers\findFirstElement.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\AnimationEditor\eventMarker_inner.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\DeveloperFramework\button_arrow_right.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialRoactChat\SocialRoactChat\Models\MockConversation.spec.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\FireEvent\fireEventStream.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\avatar\scripts\humanoidAnimateR15Moods.rbxm | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsShared-9c8468d8-8a7220fd\ReactDevtoolsShared\clipboardjs.mock.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-05d3dc81-aa36afc3\ExperienceChat\Flags\GetFFlagControlBubbleUpdates.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-ingame-14x14.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\VoiceChat\MicLight\[email protected] | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\Otter.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\2D-Collision-Matchers\2D-Collision-Matchers\alignedHorizontally.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\collectArray.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Thunks\AddFriends\init.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\Dev\TestUtils.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\Enums\Pages.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioToolbox\alert-icon-small.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\ui\Controls\dpadDown.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\Shared-9c8468d8-8a7220fd\Shared\isValidElementType.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Utils\useFetchContactImporterInfoOnce.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\content\textures\StudioToolbox\placeholder_video.png | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| File created | C:\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\ExtraContent\LuaPackages\Packages\_Index\JestUtil-edcba0e9-2.4.1\JestUtil\installCommonGlobals.lua | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{05EBDE32-685F-4084-97CE-B3E3BEFD14DD}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B987CAE-F32C-4C50-AC74-34112132B318}\AppName = "RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B987CAE-F32C-4C50-AC74-34112132B318}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{05EBDE32-685F-4084-97CE-B3E3BEFD14DD}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{05EBDE32-685F-4084-97CE-B3E3BEFD14DD} | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{05EBDE32-685F-4084-97CE-B3E3BEFD14DD}\AppName = "RobloxPlayerBeta.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B987CAE-F32C-4C50-AC74-34112132B318} | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B987CAE-F32C-4C50-AC74-34112132B318}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-af653eb90d574aa0\\RobloxPlayerLauncher.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\roblox-player\shell | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\SirCookie\RobloxPlayerLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
"C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp"
C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5e4,0x5e8,0x5ec,0x5c0,0x5f4,0x14d332c,0x14d333c,0x14d334c
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | clientsettings.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | clientsettings.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | ephemeralcounters.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | ephemeralcounters.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | versioncompatibility.api.roblox.com | udp |
| N/A | 128.116.125.3:80 | versioncompatibility.api.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.roblox.com | udp |
| N/A | 52.216.81.59:80 | setup.roblox.com | tcp |
| N/A | 8.8.8.8:53 | www.roblox.com | udp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| N/A | 23.72.252.138:80 | setup.rbxcdn.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| N/A | 23.0.250.209:443 | clientsettingscdn.roblox.com | tcp |
| N/A | 128.116.125.3:80 | www.roblox.com | tcp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 23.0.250.209:443 | clientsettingscdn.roblox.com | tcp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.qq.com | udp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.qq.com | udp |
| N/A | 8.8.8.8:53 | setup.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| N/A | 8.8.8.8:53 | setup-ak.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-ll.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-cfly.rbxcdn.com | udp |
| N/A | 8.8.8.8:53 | setup-hw.rbxcdn.com | udp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
| N/A | 23.72.252.138:443 | setup-ak.rbxcdn.com | tcp |
| N/A | 128.116.125.3:443 | www.roblox.com | tcp |
Files
memory/780-54-0x00000000758C1000-0x00000000758C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
memory/520-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
memory/776-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V72XLT2Z\PCClientBootstrapper[1].json
| MD5 | 1e0c3075286b70c6b4a505e2c6b2cb91 |
| SHA1 | b25782b6b3a1b4008dad1fe14c1a286d07b8cd30 |
| SHA256 | a666bb870aa2ed191dc0f77ba90cc41ffb47e3fb6d77b59bc67f22ed21cff19e |
| SHA512 | 1990f9b9637ccb147b14183b8d5bd8e66a3f267092293e153d8927b68755c8647462195105167ca4218f9a03c6c5cbcbd302b4187b8155795b0b2dabbefff869 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 74c2edce2571e267077a219dab1c41ed |
| SHA1 | 5cb519ad92a4f7bfbf90385a131a15007731d695 |
| SHA256 | f724864a8197b2e3fcd1cae479abbc9677499847e62d101e22d68aeecfaa56fb |
| SHA512 | 8f8a7fc9826dce999e7f816cc57338f5281752ea7bfc9cbd3aafc8c14c97bd95e492dbabec43b037e9fabe0b07d21d4b4c85ea33e5edcb949abc3c69de7e179c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 3db8da1312b65a6225422bda9e9ea37a |
| SHA1 | dbc92e98f7c3b5d245d430c986936e37b636b89d |
| SHA256 | 4b0716af6110f4e4dfa6319f5a6a2522926c2dbf50889d7883e423b6fdae5583 |
| SHA512 | e1c8aff31e750acaa37c4388a32642ed077b465a5d8a81b0517b4e352ff3af2e55c7159f966522572a0c8df4f1774c23857f335dc37afeceaf5ad6ec4989c015 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2278de4b5c754c22d41040369f3a9b6a |
| SHA1 | c7d317ebe8cac880e8d790525627a4b6c0b48764 |
| SHA256 | a266178de92924b0513946a9856e55f333cca24bfa1fb1362c141eca0ef816ca |
| SHA512 | 83469d9cfd22ba64d8dc517d9e89288e6e885e59efd1e216c3a0fddbc9fd5bccb5f1e4931bdfe00df8d0881322718fd794d1163fff0e46ab9a33b7623da2e105 |
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
| MD5 | 79d6a76432f053750d2d3ff79cf57d32 |
| SHA1 | b2a4d35c07efbb5fb9196dd37287db21e5d3befe |
| SHA256 | 5ce7f880a3ee80a59a33e5d1541560b3f636d164e92d9aff87c30793398830ba |
| SHA512 | 2fa4f54d31c7bce63a7ddd5b0909f664bf19dcfddacb1b5c3563dc6f99f6c4fb30e78a0951430120c4458a72f418b7367c4f0aec02b0cc133a45bded10e47d0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f02c5c9ac5cd3083b93e617752d69873 |
| SHA1 | eef3d281d7aeaebb5e2925d6e2b3fd74c9b77cc8 |
| SHA256 | 08de51c17eda94896381387c58661c98bcce5736ff59e87dec631afb63474383 |
| SHA512 | e3bd93c4c7cceaee87ca33e0eb51708390610b1c5f2e8902466daf176da3a13247a95e40c7b9f0277f9e7157faedb02e8854067dbbef1f4809aa80784af655c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 6c6fb46b7a72aa2339059a4c9bd653b3 |
| SHA1 | fb9e988e1007c6a157facf57c8730cfdea601e53 |
| SHA256 | 908c20cb38429cbafd88d18ecf77fbb3e3cbf82d4e6f05976df0f1dda6b9420e |
| SHA512 | 89d2a18f5ae4af1de5135a4c01985b0eb73242d03a26800743fa96ee869aab492b573bdae760b7a71ce0c3e077540e5b7db143eee01f4a7c9cc8ac8613805b73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 5a761d915ae7389ec5c5ff6d03987fff |
| SHA1 | cfe1228d4b2aca41bc0b81726ed71ec6881aa28e |
| SHA256 | 9921cd1d0b329bfc7a06b2d0ab694ecdb431633c73c8e7e69446df7e5ff2c593 |
| SHA512 | 33aa1c854ba62f37b0a3db10853507eb15a2f604d2a72e7f24eadc81df1629af15123546a84d28499a22233457bde78b2619f160e6701c03986b1970673b9757 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 70adeb4c5eeda6de4011c1cb80d5b08c |
| SHA1 | 71db96a3928c314daa62852c6c2b01e69cfbf0d7 |
| SHA256 | 94a5403d0c01981f2181ee3109945806df4dc2c15c29fe4aac5739b0e9966f5e |
| SHA512 | 01eae96663687ff7f5c00e549b15fa02b724e654314aabcb1e515265e1c9413b3f7fed2e21a88571431b564d6aff6f18b1b6b67230b843ff9144f434653667c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 0bc465fcfa82fffae012d34784eba355 |
| SHA1 | 4270fc31d992abd25f6e98babf844a84d6c28014 |
| SHA256 | 2976fbde1e39e52a32b6981b042d6849b696630b1da0c5edd48932b6e6476496 |
| SHA512 | 6b983a96e643f36762c96dee0c1bfef1ef8185331d90f7e83f1e0c939ec4d3175620c1a455206d909c3e64a9d9faad670bf77657d54bf76297da3b60e52c9405 |
\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Users\Admin\AppData\Local\Temp\RBX-4D969AAC.tmp
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
| MD5 | 82de1bb3ad69240485c0f89e53dffd5d |
| SHA1 | faa8e97a9f6a0f1213843b5753a6a57911b61d96 |
| SHA256 | 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede |
| SHA512 | 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4 |
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
| MD5 | 82de1bb3ad69240485c0f89e53dffd5d |
| SHA1 | faa8e97a9f6a0f1213843b5753a6a57911b61d96 |
| SHA256 | 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede |
| SHA512 | 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4 |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerLauncher.exe
| MD5 | c9c37cc5d113277b3851bda9945361f3 |
| SHA1 | 90ecb64b54b1df08cd75fd10669397c5dd790947 |
| SHA256 | 219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0 |
| SHA512 | 71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12 |
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
| MD5 | 82de1bb3ad69240485c0f89e53dffd5d |
| SHA1 | faa8e97a9f6a0f1213843b5753a6a57911b61d96 |
| SHA256 | 071ca4c1d21006aeaf88c6228b84b47be02f139f5ff81ef62a052d223df05ede |
| SHA512 | 1e1ba6ba7e60934ec32294635ed2827cdd370a9f3a38161caee1bd52b4e3eeb1b7f7ba9aa8ffff676a897683cbebc52aff123a29a956f33fa0360f6e052f56a4 |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerBeta.exe
| MD5 | f8fe2f851181d04a01d05a5da5ba9f23 |
| SHA1 | d6cbf7699c89ee753bdf0c864c5264d79d547707 |
| SHA256 | 2985d6103d43f6c13f41dcf72b4ab2dd1d0cb1cfb8f2e66e75c766ca86372cda |
| SHA512 | 9790090ddbecb37c61d198aebcb918f2fd543f8b6d2137dea9f087feefaa642898c62aeb83346bb9d66e6ac0442d2c50af885f5fd5745c2bbb95fd9c2006b3ac |
\Program Files (x86)\Roblox\Versions\version-af653eb90d574aa0\RobloxPlayerBeta.exe
| MD5 | f8fe2f851181d04a01d05a5da5ba9f23 |
| SHA1 | d6cbf7699c89ee753bdf0c864c5264d79d547707 |
| SHA256 | 2985d6103d43f6c13f41dcf72b4ab2dd1d0cb1cfb8f2e66e75c766ca86372cda |
| SHA512 | 9790090ddbecb37c61d198aebcb918f2fd543f8b6d2137dea9f087feefaa642898c62aeb83346bb9d66e6ac0442d2c50af885f5fd5745c2bbb95fd9c2006b3ac |