219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0

Analysis

max time kernel
138s
max time network
126s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
31/01/2023, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerLauncher.exe
Size

2.0MB
MD5

c9c37cc5d113277b3851bda9945361f3
SHA1

90ecb64b54b1df08cd75fd10669397c5dd790947
SHA256

219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0
SHA512

71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12
SSDEEP

49152:jBzJhqgJrpi9ZE7K2/Twzakz1p9TnVMfPMQ3d2XLTDb6ga3:HhqAMrE7K1Hbi3

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1624	RobloxPlayerLauncher.exe
1888	RobloxPlayerLauncher.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe

Loads dropped DLL 14 IoCs

pid	Process
1576	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\ui\Settings\MenuBarIcons\HomeTab.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\ui\VoiceChat\SpeakerDark\Unmuted0.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\validation\__tests__\UniqueInputFieldNamesRule.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\Jest-edcba0e9-2.4.1\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\roblox_networking-chat\networking-chat\createRequestThunks.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\fonts\HWYGOTH.ttf	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\particles\legacy_fire_alpha_color.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AppCommonLib\AppCommonLib\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphqlHttpArtifacts\GraphqlHttpArtifacts\virtual-event-integration-success\games.roblox.com\get-experience-details.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\language\location.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\RoduxGames-ffcfa086-ca9547e2\RoduxGames\Enums\PlayabilityStatus.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\FindFriendsModal\Components\ContactsImporterOverlay\mapDispatchToProps.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\ShowMoreButton\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GameIconRodux\GameIconRodux\Thunks\ApiFetchGameIcons.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\PlatformContent\pc\textures\plastic\normaldetail.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\Commands\RBXEmoteCommand.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\Locale\Locales\fr-fr.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\InfiniteScroller\Otter.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\Util-96003ad7-0.6.3\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactServiceTags\RoactServiceTags\AppGuiService.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\ui\Emotes\Small\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\validation\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\util\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\Dev\JestGlobals.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\Reducers\rsvps.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\CollisionGroupsEditor\manage.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\None.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\ui\icon_friendrequestsent_16.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\roblox_lua-roact-policy-provider\lua-roact-policy-provider\getPolicyImplementations\fromStaticSource.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\TestEZJestAdapter\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\UIBlox\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\DeveloperInspector\ToolbarIcon.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\StudioToolbox\verified-badge-2x.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\mock\mock\Matchers\toBeASpy.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Utils\fetchOSPermissionsForContacts.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\types.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\ui\VoiceChat\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\Actions\UserMuted.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\ui\Settings\Players\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\Events\VoiceParticipantAdded.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\jtaylor_mock\mock\cmpLiteralArgs.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\Components\Carousel\Carousel.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\AnimationEditor\img_forwardslash.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\MaterialManager\Fill.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\mountServerApp\createStore.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\RoactFitComponents\RoactFitComponents\FitFrameHorizontal.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\roblox_lua-roact-policy-provider\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\UIBlox.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\textures\DeveloperStorybook\Folder.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\link\utils\fromPromise.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\String\String\endsWith.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\RoactFitComponents.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\JestDiff-edcba0e9-2.4.1\LuauPolyfill.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\roblox_asset-card\asset-card\asset-card\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\TestUtils-edcba0e9-3.2.1\LuauPolyfill.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\SocialTestHelpers.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\content\avatar\heads\headN.mesh	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\NetworkingAccountInformation\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\SelectionImage\Components\Toggle.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppLocales\RobloxAppLocales\Locales\hu-hu.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\User\makeMockUser.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\ExtraContent\textures\ui\ImageSet\LuaApp\img_set_2x_2.png	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AF16ACD-3CF2-4492-80B0-3AA4245D2F40}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-41dcbd77dbcf416f\\"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94A20845-5940-49EC-A853-63AE052345F4}	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94A20845-5940-49EC-A853-63AE052345F4}\AppPath = "C:\\Program Files (x86)\\Roblox\\Versions\\version-41dcbd77dbcf416f\\"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AF16ACD-3CF2-4492-80B0-3AA4245D2F40}	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AF16ACD-3CF2-4492-80B0-3AA4245D2F40}\Policy = "3"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94A20845-5940-49EC-A853-63AE052345F4}\AppName = "RobloxPlayerBeta.exe"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94A20845-5940-49EC-A853-63AE052345F4}\Policy = "3"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AF16ACD-3CF2-4492-80B0-3AA4245D2F40}\AppName = "RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-41dcbd77dbcf416f\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-41dcbd77dbcf416f\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-41dcbd77dbcf416f\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-41dcbd77dbcf416f\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-41dcbd77dbcf416f\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-41dcbd77dbcf416f\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\roblox-player\shell\open	RobloxPlayerLauncher.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe
1624	RobloxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 840	1576	RobloxPlayerLauncher.exe	30
PID 1576 wrote to memory of 840	1576	RobloxPlayerLauncher.exe	30
PID 1576 wrote to memory of 840	1576	RobloxPlayerLauncher.exe	30
PID 1576 wrote to memory of 840	1576	RobloxPlayerLauncher.exe	30
PID 1576 wrote to memory of 840	1576	RobloxPlayerLauncher.exe	30
PID 1576 wrote to memory of 840	1576	RobloxPlayerLauncher.exe	30
PID 1576 wrote to memory of 840	1576	RobloxPlayerLauncher.exe	30
PID 1576 wrote to memory of 1624	1576	RobloxPlayerLauncher.exe	32
PID 1576 wrote to memory of 1624	1576	RobloxPlayerLauncher.exe	32
PID 1576 wrote to memory of 1624	1576	RobloxPlayerLauncher.exe	32
PID 1576 wrote to memory of 1624	1576	RobloxPlayerLauncher.exe	32
PID 1576 wrote to memory of 1624	1576	RobloxPlayerLauncher.exe	32
PID 1576 wrote to memory of 1624	1576	RobloxPlayerLauncher.exe	32
PID 1576 wrote to memory of 1624	1576	RobloxPlayerLauncher.exe	32
PID 1624 wrote to memory of 1888	1624	RobloxPlayerLauncher.exe	33
PID 1624 wrote to memory of 1888	1624	RobloxPlayerLauncher.exe	33
PID 1624 wrote to memory of 1888	1624	RobloxPlayerLauncher.exe	33
PID 1624 wrote to memory of 1888	1624	RobloxPlayerLauncher.exe	33
PID 1624 wrote to memory of 1888	1624	RobloxPlayerLauncher.exe	33
PID 1624 wrote to memory of 1888	1624	RobloxPlayerLauncher.exe	33
PID 1624 wrote to memory of 1888	1624	RobloxPlayerLauncher.exe	33

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5c4,0x5c8,0x5cc,0x5a0,0x5d4,0x10a332c,0x10a333c,0x10a334c
  2⤵
  - Modifies system certificate store
  PID:840
- C:\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe
    C:\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=5d405edfb1976b7e4d3f1f67b16302c21e7e5766 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5c4,0x5c8,0x5cc,0x5a0,0x5d4,0x12832f4,0x1283304,0x1283314
    3⤵
    - Executes dropped EXE
    PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
29dfe305b4212892ea463b542ffbb23e

SHA1
1e8e9f31519b432624bd9ecf4f1122b315c73645

SHA256
5de62195d2b48c7a6b05f14d5bcb0f270cabbd38d9081c28039183376ab99966

SHA512
005ff52a781fcb191f42e5aa802d13631b79f13f51a912c8b7cc4ad34fe630e30e6ae34b84140d675df660e4502659d3199aedd9f9ef9788ef0b76069cbe84c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
29dfe305b4212892ea463b542ffbb23e

SHA1
1e8e9f31519b432624bd9ecf4f1122b315c73645

SHA256
5de62195d2b48c7a6b05f14d5bcb0f270cabbd38d9081c28039183376ab99966

SHA512
005ff52a781fcb191f42e5aa802d13631b79f13f51a912c8b7cc4ad34fe630e30e6ae34b84140d675df660e4502659d3199aedd9f9ef9788ef0b76069cbe84c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7

Filesize
1KB

MD5
c6ff24d9f34ba8eca141f13cae45d0d8

SHA1
4385676aa4330f7945bd51b0ff67e28f29d9a460

SHA256
ccda2faa1e6c54c7ee710619d7fe52a89c00cade4e4073042b9f6b0e283e0821

SHA512
fc164f1dfdf9d6ab01f81689a6a3d96b933187084932cfe883f6956c13325ec56ca0980f844c0eae87ca7b5bf90008c3cd1765bc61f743e22a5753fbc7e8cc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7

Filesize
1KB

MD5
c6ff24d9f34ba8eca141f13cae45d0d8

SHA1
4385676aa4330f7945bd51b0ff67e28f29d9a460

SHA256
ccda2faa1e6c54c7ee710619d7fe52a89c00cade4e4073042b9f6b0e283e0821

SHA512
fc164f1dfdf9d6ab01f81689a6a3d96b933187084932cfe883f6956c13325ec56ca0980f844c0eae87ca7b5bf90008c3cd1765bc61f743e22a5753fbc7e8cc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
59c7d1c3e315494e116f2c507c82c767

SHA1
12a70b21e3d5d6f4aa8b9f06e115754d2ad47de6

SHA256
9164088264623e289af26a53f6aae4948e9190885685866c9c7675382406d50c

SHA512
a5dafd1fe7527b25a13de644ba43a79e1f2a50aed20f46c8b2b60af9926d08775480fb22f926f903231bf183da016b2dfebb0cc1195505e00b5ab7c84a0f9ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
471B

MD5
b93def072383f54ce5000ce4b8ccf928

SHA1
2e5498d461734043bb8388e90ace8e0002ed0bd7

SHA256
f76fef89e8b688e22a28018a2db8ebebc33d5d42aef85c52c8b27073858aef56

SHA512
036c448d11f475abf480b62c377cc164edf7e8c6879f2cce3ea0aa88dd2ba33c3202c7724833bd771f8b4b3fed5ae3e4f95e061327e2469cbf89b04afc981adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6C5BE853DE9635D928C50863E19CD46_58118CA4A1A343467489A27BC4EE02C5

Filesize
1KB

MD5
a642f3f78f39f6b37d8c9c34c4fb4fa1

SHA1
9a5e9d9118ea8c5293e4dc68fdbdc3718fb86c6e

SHA256
258c29336dfc4fedf9fe1164301ce890a27168549918f391c151050b273593ba

SHA512
2eb48b7f13274e7713b42c3a6c2895ff50f1d7e2f4cf6c0b5d3d0c2351e748153c5296a5e5f31c279e67984779fef767f20d27e0fc80bcf2f1cfd5d088176100

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
2f781719b89fd318a854a3f619129c30

SHA1
1168fa63d02ae764755e8f3513e91055f6222c28

SHA256
44d1e0330234db53292b070b90299b3a5184d09a05e1a1159cd183435296fa1f

SHA512
0b2384a1548aed32c9e0d9acec393520e6d5229b170b73cedeb06415b14e5f17b7e82243581b1b11812a5da2062b3e70ea4ebc899ac0a8a07dde7a178ba8690b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
2f781719b89fd318a854a3f619129c30

SHA1
1168fa63d02ae764755e8f3513e91055f6222c28

SHA256
44d1e0330234db53292b070b90299b3a5184d09a05e1a1159cd183435296fa1f

SHA512
0b2384a1548aed32c9e0d9acec393520e6d5229b170b73cedeb06415b14e5f17b7e82243581b1b11812a5da2062b3e70ea4ebc899ac0a8a07dde7a178ba8690b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
cec35a3aa13b05a32389872ed9421c37

SHA1
bcdaa45d168df74fefdc90b3ca9dc6ddcc1f5490

SHA256
e05c62d414fc9517fefd6699ce263e31bc8c25d730bbb81322db25c9b534cff0

SHA512
7089d15eb7cf8cc8718daf1e05ba7d0f3e9fe885246c98bd74fdbedb8fdfb1c9b0b04b0ca780994e8d3d764007a584b98d3eaa919bd8d8d6faddbcbc2d090c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
cec35a3aa13b05a32389872ed9421c37

SHA1
bcdaa45d168df74fefdc90b3ca9dc6ddcc1f5490

SHA256
e05c62d414fc9517fefd6699ce263e31bc8c25d730bbb81322db25c9b534cff0

SHA512
7089d15eb7cf8cc8718daf1e05ba7d0f3e9fe885246c98bd74fdbedb8fdfb1c9b0b04b0ca780994e8d3d764007a584b98d3eaa919bd8d8d6faddbcbc2d090c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7

Filesize
474B

MD5
616ef878766697530418fb34a9a9d4c2

SHA1
f57b35f1e3f0b2998c6dafd64bccdb00f92b3bc8

SHA256
8f94644b2e146cdb3704a965fe15e2b45aee00b0a7f266813860c96fa667c82c

SHA512
5db8ef2da065245bc98f4b2e63df3994ca88b044b9d3b04adc353775585d113ce89e94a0e52e08f2b2c7ee3a06238fbfa0828f8656b518db5eaee6d6e244e6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7

Filesize
474B

MD5
9c41f95341550638e96ea2eb74b7865f

SHA1
365ecb32273f7ff725591af0627a5c108ec38f74

SHA256
72cfa7b6be543173cab9e066d86aac778807d2752b3967f357e046ec7b7fcf21

SHA512
3a589c3604e51860e7dc06dbda8114d4fb6d676fab8994fd772dd5f751eb152d5f1d7f179a999db36f3a9eaf193f93e9c1d5200d1ed6c1c90bc2e01ceb206ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe919efe78d83e05be766ca268ea32ed

SHA1
76d643d740f323df02bb7fdb2dceadf2f54eca67

SHA256
f8022679a1f5abec912119125c7de3072ea381896c1e41fd970e65d4f16b3ac8

SHA512
b36b6dcc78c9481ee7bd1d360401537158007e1eb96d8177313da4313ecd209d7d66f2b479bb399bb5cfb45154724c42784930459ff1d0e19ef75bfb278b397a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
221513b0cedc8ca2b6918db460670af6

SHA1
dde1fb923e051893fb4a9d2a7e2559b4377414dd

SHA256
9ede6ee01e14b88d33182296d9d10d52cd4e4760470a31343cd2bc9e62b1fb83

SHA512
1e3f6cb10dedbe809124e51f8829ad356010ec52359433b9466bf96ff5775d94689a679b2d8601374b950face9b2c85ad97a54232ecd4c9941c0d391659cb9b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
915a4e9d92f7f485e34e716d6546941e

SHA1
89c9e3a39cc1ecab814bb49f331d46bf988c4811

SHA256
a3d970f7d071bb0552c5964d17162018c3c84c402647dc0ad157d3d246276b6d

SHA512
58057b0cc2e58809089cffab3b99bde7ca68805707ac78fda9860d1b930047efb50f06c62dc32a5d059335d77f77968509c59dee0c9c55c25a27f451641ba05f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
54798510a8b0705420badaab93f23edd

SHA1
a1c4928eeb9f87ea39f9ea36054033d6ae58a0c2

SHA256
dc25edf0848656fcd6f8ea8cdef785504b68e74aac6e21bba469fc1739c3ca49

SHA512
9bbc8b6053e4e0e26bb9f6029bf6a5956c677d41548eb5017e11cc10c27fe17fedb279c68b0b978588822705b76d4ecd5f036f6fceeb20658988efb77ae37f2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
404B

MD5
188ed0d8e36e882f904620b1b2a58320

SHA1
67add3358efe2042ce1f979da06a819a18fbdaa3

SHA256
951373f45216a954d95e99fb7e782d00dea76b0b34affd0945fc8593eaaa9deb

SHA512
49fcd692270882d4c4bebe445846815d0fa4e10dfb488f5017235ad08943bcb8ce53ca7691256689097a8abf3f405f92faae4118374fb9c5c6ef2100de803e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6C5BE853DE9635D928C50863E19CD46_58118CA4A1A343467489A27BC4EE02C5

Filesize
474B

MD5
c760031af1b90dc02a4958575152fc3e

SHA1
01faec9510dc36ee7dc672c6b64bd5ee0b1cfba5

SHA256
f44a2dd75eaeafa74c3839bd9018c3d9bb302da19e796eea2ef91a9760e4dba9

SHA512
869b8e067aa6bfdfd617e7ae6de8fb719bd13b7b1a2b65d966dacdd78f46c4f7a1a4bda9188c6c2147de4b4d075b99998c448644a12b979ab93f1c06f20d22d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
8f7358e4ed5b6d33da2713b41e9bdf94

SHA1
9316ece51d410cf1ec11f3d4cf9a90416c8d1279

SHA256
ade86e7a6835a17faa4797dc362317aad3ad1b17fd355ede73442d983c3901f3

SHA512
db05188ad7c87a524d8eef6f12146e5082dd211f2614dbc82d3ebfea211939c534abc10ef18e9e69a4fae87c8ca80fcfbec4b965f4b8f5b8a756832a2dc4d29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
d54eade72d5d8e2ec44a6b280dfc18e2

SHA1
ef60542153c8e351375ab0a309ee89c2c1c0c8ec

SHA256
3d0df2fa22db8db6a4dc7003e2969d995821f8909472d0630c45d0da3dd8bc31

SHA512
1b6c333403f1cec4dc3af2e5282d41cc33b9b327439890f08905c4ad58963e556c7e71ecb4bc123b49282f30feeb3b60e0b7fb0915164d1999ee7e559866d151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OB1Q09Y\version-41dcbd77dbcf416f-rbxPkgManifest[1].txt

Filesize
1KB

MD5
a5f5606901cb379a20b7e5fc70c103c2

SHA1
93423ebb99c628e3548ab03ebbfc0e335bcf4ce0

SHA256
ecc5e4347d4cb5413eec9f087cb99e3ee670e25b5552acb66a2866c0e0915f43

SHA512
f339544c52e8fb291b0b45c6d2a0664b58fe0c6d78a7d4d64f3277a96cc1dee39ed13f4648a610b4bfba6b0fe1479fe7588a42211dee53f6d7409505c1456109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9XNRFMOH\PCClientBootstrapper[1].json

Filesize
2KB

MD5
1d2e8be2220e67b8f843e8549b550c5d

SHA1
79fca6120e881a3a2a3bb9752daa9e52437aa689

SHA256
08876f9e34ee41f9e7dc4d02d62b2fcfe1c3b6d9d34cb53ff41bca5f2c90a025

SHA512
20e026d68c6a4504429305ed9914c99d5f282043c0d82e09e45ac2b7fb1705db18547c779e7c6bf6215bc06905c78aa5e89035432480e0836d42c02ce3391b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9XNRFMOH\PCClientBootstrapper[1].json

Filesize
2KB

MD5
1d2e8be2220e67b8f843e8549b550c5d

SHA1
79fca6120e881a3a2a3bb9752daa9e52437aa689

SHA256
08876f9e34ee41f9e7dc4d02d62b2fcfe1c3b6d9d34cb53ff41bca5f2c90a025

SHA512
20e026d68c6a4504429305ed9914c99d5f282043c0d82e09e45ac2b7fb1705db18547c779e7c6bf6215bc06905c78aa5e89035432480e0836d42c02ce3391b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9XNRFMOH\WindowsPlayer[1].json

Filesize
119B

MD5
4a36f518afc2633dea8592f2554f6133

SHA1
2f0286860d7b9c26f47215393fc94fe1b24e7ad0

SHA256
9d2871555cb58928ad2c6ce8fabe5efbbae984091ef0c72a042b2c50c119d428

SHA512
be32a8c9bdc63ba1280278c7f0c0242cef01d3bf1ed9c0dff5b6141e4d76301067850b9574478e1472c24fa3614345707753858c3d76e10f404e16e02f3dac03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EF53UGF7\PCClientBootstrapper[1].json

Filesize
2KB

MD5
1d2e8be2220e67b8f843e8549b550c5d

SHA1
79fca6120e881a3a2a3bb9752daa9e52437aa689

SHA256
08876f9e34ee41f9e7dc4d02d62b2fcfe1c3b6d9d34cb53ff41bca5f2c90a025

SHA512
20e026d68c6a4504429305ed9914c99d5f282043c0d82e09e45ac2b7fb1705db18547c779e7c6bf6215bc06905c78aa5e89035432480e0836d42c02ce3391b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
ddccf6c6852b11f6260073946a6fc616

SHA1
bb764c5beaca7c94baf73df5dbd894f8f5187241

SHA256
e51e5a6faa831699c76a877c70b3ff22e2d463cc1efab4d686546df562cc07b6

SHA512
26ce7f9e6d67048227e9afef3c98e7c6ece0f2295b25a1ac9252e9f81671fa9df1869e4dd88fafd6be36886521c86e063fd40d11c01f9eaa6bea417c888e0f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
ddccf6c6852b11f6260073946a6fc616

SHA1
bb764c5beaca7c94baf73df5dbd894f8f5187241

SHA256
e51e5a6faa831699c76a877c70b3ff22e2d463cc1efab4d686546df562cc07b6

SHA512
26ce7f9e6d67048227e9afef3c98e7c6ece0f2295b25a1ac9252e9f81671fa9df1869e4dd88fafd6be36886521c86e063fd40d11c01f9eaa6bea417c888e0f96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7MO8DE7J.txt

Filesize
68B

MD5
c437c30db8db0150a1794e7f8cc0c646

SHA1
01b6881a14b3d1915f5d4fed112ddc72342de7b8

SHA256
b2cdaf100914569bba1cd9697154b00a33dadf7cefce1afe1c75d7b7d8185bbd

SHA512
574ee2679b4f3f92e9408681c90883ca9fe4920cada7ce0eb45e36e6f3e56c6e8f1d8b423e6253f67aea6b65dfc24fd567b68e734407f5d0748c2e119d4b080b

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
322ad896786eea9f94746287710f78bb

SHA1
7cd1e382ca1a8b61df3f2fd7c6307eb549bb7730

SHA256
835fe15f0f4e6b78524e1ffa2eb43e117f38e0bc677535636c99e820f54de1a8

SHA512
e05c413f17338b4b1bf35e64fb61c2930f30dace0028cf0dae8143bd010f2b58d309aefa1a2d6cc636efef15bdaf0075abc790d55a26dca9f263e79f21d10389

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
322ad896786eea9f94746287710f78bb

SHA1
7cd1e382ca1a8b61df3f2fd7c6307eb549bb7730

SHA256
835fe15f0f4e6b78524e1ffa2eb43e117f38e0bc677535636c99e820f54de1a8

SHA512
e05c413f17338b4b1bf35e64fb61c2930f30dace0028cf0dae8143bd010f2b58d309aefa1a2d6cc636efef15bdaf0075abc790d55a26dca9f263e79f21d10389

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
322ad896786eea9f94746287710f78bb

SHA1
7cd1e382ca1a8b61df3f2fd7c6307eb549bb7730

SHA256
835fe15f0f4e6b78524e1ffa2eb43e117f38e0bc677535636c99e820f54de1a8

SHA512
e05c413f17338b4b1bf35e64fb61c2930f30dace0028cf0dae8143bd010f2b58d309aefa1a2d6cc636efef15bdaf0075abc790d55a26dca9f263e79f21d10389

Download Submit
\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerBeta.exe

Filesize
57.5MB

MD5
ccac7596d7a99ec3cf796b286378e5e0

SHA1
e1967831b8472ba519c81e425bdcff10098cd208

SHA256
b720401158d02a6eaf8548df938192f4e9700e2844bfde64257413644b7a4d27

SHA512
d889713d868173a66317a2ec10d20c1fd2bd2a90ab5c7436eb82978ccc75faafc78aeecaac8ba00ff8f563ec4ae1b6245ac0679421f2f9957b6c71fb505ab905

Download Submit
\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerBeta.exe

Filesize
57.5MB

MD5
ccac7596d7a99ec3cf796b286378e5e0

SHA1
e1967831b8472ba519c81e425bdcff10098cd208

SHA256
b720401158d02a6eaf8548df938192f4e9700e2844bfde64257413644b7a4d27

SHA512
d889713d868173a66317a2ec10d20c1fd2bd2a90ab5c7436eb82978ccc75faafc78aeecaac8ba00ff8f563ec4ae1b6245ac0679421f2f9957b6c71fb505ab905

Download Submit
\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
\Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-A11FCDC7\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
34d6da080af6ae29247f06bcae9292c5

SHA1
6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

SHA256
ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

SHA512
c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

Download Submit
memory/1576-54-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download