9dcd1c7e9bcba6dd6c49e370d0b87ee94e2d0c5d6bbce918759cd942fcd62d07

Analysis

max time kernel
108s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerLauncher.exe
Size

2.0MB
MD5

15396fe00f8ee8d7ae41bb6884f9979b
SHA1

5b57ca2e66568d55eb67349f7b68b9a792299743
SHA256

9dcd1c7e9bcba6dd6c49e370d0b87ee94e2d0c5d6bbce918759cd942fcd62d07
SHA512

8e3a75b176f5658a2a08ea6a17cd9dfd35bb3c8f7c5bf843ac2d1eef76ebed599710c8122165d07590845db4e30e4b4fb96456521684a2b48506cdaa6674ee7a
SSDEEP

49152:hSN68wfCWTVlrX/tfQgTpiaYRo2RT48MPPMQ3d2XET4b6Qs:As8wKWTVlL/tfibBs

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RobloxPlayerBeta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe

Executes dropped EXE 5 IoCs

pid	Process
3712	RobloxPlayerLauncher.exe
2536	RobloxPlayerLauncher.exe
4668	RobloxPlayerLauncher.exe
4756	RobloxPlayerLauncher.exe
4416	RobloxPlayerBeta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.3.4\LuauPolyfill\Math\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-2.4.1\RobloxShared\expect.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\ImageSet\ImageAtlas\img_set_2x_18.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\GraphQL.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\ProfileQRCode\Components\ProfileQRCodeEntryPoint\useScreenSize.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\Commands\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\textures\ui\LuaApp\icons\ic-more.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\Actions\LocalCharacterLoaded.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\assertValidName.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\roblox_string-utilities\string-utilities\StringTrim.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\RoactProxy\Roact17_rc16.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\Shared-a406e214-4230f473\Shared\PropMarkers\Event.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\GraphQLServer\graphql\luaTypeDefs\OmniFeed.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppAssets\RobloxAppAssets\GetImageSetPathPattern.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\PlatformContent\pc\textures\metal\normal.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\LuaSocialLibrariesDeps\RoduxFriends.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\Components\Carousel\getFriendsList.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Squads\Squads\FloatingActionButton\Common\Constants.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\routers\validateRouteConfigArray.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-e5bec545-6ef031c0\RoduxFriends\Reducers\Friends\friendsRankByUserId.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\VirtualizedList\VirtualizedList\Lists\VirtualizedList.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\Debugger\Breakpoints\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\TagEditor\lineargradient.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\BubbleChat\BlankBubble\BlankBubble.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\JestRunner\JestUtil.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\Components\Carousel\getCarouselFetchingStatus.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\FilterByButton\noFriends.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\IAPExperience\IAPExperience\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\fonts\families\Creepster.json	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\textures\ui\LuaApp\icons\ic-more-settings.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\ChatWindow\UI\ScrollingView\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\rodux-networking-6492c3b7-082e44c0\rodux-networking\mockStore.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\Scheduler-9c8468d8-8a7220fd\Scheduler\getJestMatchers.roblox.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\ui\Controls\dpadUp.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\ui\Controls\spacebar.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\textures\ui\LuaApp\category\ic-top rated.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\installReducer\Players\byDisplayName.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\README.md	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\UserCarousel\Components\UIBloxCarouselAdaptor\UIBloxCarouselAdaptorDefault.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Squads\Dev\JestConfigs.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\rodux-networking-6492c3b7-082e44c0\rodux-networking\mockRoduxNetworking.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\RoduxAliases-4b477b13-e5753ce1\RoduxAliases\Selectors\getAliasByUserId.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\RoduxNetworking-fe052a05-2.3.2\Promise.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\DeveloperFramework\UIOff_light.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\StudioToolbox\AssetConfig\CenterPlus.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\ui\Settings\Players\Unmute.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\BubbleChat\VoiceIndicator\VoiceIndicator.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactFiberErrorLogger.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\Analytics\Navigation\BtnValues.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppHooks\RobloxAppHooks\useDeviceType.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\UIBlox.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\ChatWindow\UI\ChatWindow\ChatWindow.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\FriendsLandingEntryPoint\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Localization\Localization\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TnSScreenshot\TnSScreenshot\ScreenshotManager.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\content\textures\AnimationEditor\img_eventMarker_border.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\Commands\MuteAndUnmute.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\execution\__tests__\directives.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\JestRunner\Throat.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactFiberWorkLoop.new.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\Enums\RecommendationContextTypes.lua	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	RobloxPlayerBeta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\RobloxPlayerBeta.exe = "11000"	RobloxPlayerBeta.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "1"	svchost.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-7b56ddc3755a46c6\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-7b56ddc3755a46c6\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-7b56ddc3755a46c6\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-7b56ddc3755a46c6\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-7b56ddc3755a46c6\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-7b56ddc3755a46c6\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-7b56ddc3755a46c6\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{34D21A51-7383-4145-B344-4333C6AD2B78}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-7b56ddc3755a46c6\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
3712	RobloxPlayerLauncher.exe
4416	RobloxPlayerBeta.exe
4416	RobloxPlayerBeta.exe
4416	RobloxPlayerBeta.exe
4416	RobloxPlayerBeta.exe
4416	RobloxPlayerBeta.exe
4416	RobloxPlayerBeta.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3376	OpenWith.exe
4416	RobloxPlayerBeta.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4804	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4416	RobloxPlayerBeta.exe
3376	OpenWith.exe
4416	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2796	1496	RobloxPlayerLauncher.exe	85
PID 1496 wrote to memory of 2796	1496	RobloxPlayerLauncher.exe	85
PID 1496 wrote to memory of 2796	1496	RobloxPlayerLauncher.exe	85
PID 1496 wrote to memory of 3712	1496	RobloxPlayerLauncher.exe	93
PID 1496 wrote to memory of 3712	1496	RobloxPlayerLauncher.exe	93
PID 1496 wrote to memory of 3712	1496	RobloxPlayerLauncher.exe	93
PID 3712 wrote to memory of 2536	3712	RobloxPlayerLauncher.exe	94
PID 3712 wrote to memory of 2536	3712	RobloxPlayerLauncher.exe	94
PID 3712 wrote to memory of 2536	3712	RobloxPlayerLauncher.exe	94
PID 4668 wrote to memory of 4756	4668	RobloxPlayerLauncher.exe	105
PID 4668 wrote to memory of 4756	4668	RobloxPlayerLauncher.exe	105
PID 4668 wrote to memory of 4756	4668	RobloxPlayerLauncher.exe	105
PID 4668 wrote to memory of 4416	4668	RobloxPlayerLauncher.exe	106
PID 4668 wrote to memory of 4416	4668	RobloxPlayerLauncher.exe	106
PID 4668 wrote to memory of 4416	4668	RobloxPlayerLauncher.exe	106

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=4b4135d8a5af5c6ff5bb89faa646bc380209874d --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7a4,0x7a8,0x7ac,0x7a0,0x7b4,0x765f68,0x765f78,0x765f88
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\RBX-7F2C4B65\RobloxPlayerLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\RBX-7F2C4B65\RobloxPlayerLauncher.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\RBX-7F2C4B65\RobloxPlayerLauncher.exe
    C:\Users\Admin\AppData\Local\Temp\RBX-7F2C4B65\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=1c1d562e2b76ffbba00795ff3ab1415e381b3d0d --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x71c,0x720,0x724,0x56c,0x72c,0x90f810,0x90f820,0x90f830
    3⤵
    - Executes dropped EXE
    PID:2536

C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerLauncher.exe
"C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerLauncher.exe" -app
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerLauncher.exe
  "C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerLauncher.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=1c1d562e2b76ffbba00795ff3ab1415e381b3d0d --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x70c,0x710,0x714,0x68c,0x6e8,0x106f810,0x106f820,0x106f830
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerBeta.exe" --app
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:3336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
4dcb85eabda1e00acecbb79e167b39e5

SHA1
eb3e1e090bdb55f6b3c16fc8732a4ec06feb8565

SHA256
bbd68a289156ddc9ea525e2290693ce61dad679d14970fa12d6c09ccd1fee1ec

SHA512
667d3749d450fa7f967f6d1662f6e5114fa54207f149efc0074bf851175140c25d10f1f68b9f92fb0f358a5f6f7600e5bdd3ec5e9e90f070f9b762eff02a95b9

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\AppSettings.xml

Filesize
149B

MD5
48f58abeaac832f838efd2beb25f4c90

SHA1
7878e28b62e5d9bc9042a3e44094e39668f03384

SHA256
893a58e7946728c9dd5caac10e5bdc306a465e406c1f979ded52a13dafebce2d

SHA512
c5e3025b63eead12a0f8192ea41afd1216dd87b14a07d22ebafc6d3d899a06e80da947b3fcd1b3f2cf53b89b3de9967f89c415394d66c277556373b620dc827e

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerBeta.exe

Filesize
58.2MB

MD5
d2808f20f51d1e373ff2b56c43899f2f

SHA1
f349c115d6efe5c5dedf7d26ef9d154ce7b8422b

SHA256
c600ef50a7c55974d1b5aaf1732b11336b25d3d7a1880665d55cc76522d93196

SHA512
6265381a4c76d1ca652abc2b7d637dcc4a048942b79ca19259b1b4dbfd96079d6ada2875e6d53ca6f7b4ebaf5cee8cbdc9a85a09adc3320dd9708f78afb73d98

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
ffe818bb675c441ae967cb0fb85b56d5

SHA1
d1ca6c9bff52d2249698919bc73462f2de2bb284

SHA256
b672e59bb345d12ebad37d174cfb2a581ddaa1626f1d52076696d5bdb1b3bdd6

SHA512
66e5590134d575af49c810979c35d6f6254226ec712e7413525b47bc15082aba904b9b475ce270586ed1f378e5efb5af5d8924f3e86451b44c96f70a59b65963

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
ffe818bb675c441ae967cb0fb85b56d5

SHA1
d1ca6c9bff52d2249698919bc73462f2de2bb284

SHA256
b672e59bb345d12ebad37d174cfb2a581ddaa1626f1d52076696d5bdb1b3bdd6

SHA512
66e5590134d575af49c810979c35d6f6254226ec712e7413525b47bc15082aba904b9b475ce270586ed1f378e5efb5af5d8924f3e86451b44c96f70a59b65963

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
ffe818bb675c441ae967cb0fb85b56d5

SHA1
d1ca6c9bff52d2249698919bc73462f2de2bb284

SHA256
b672e59bb345d12ebad37d174cfb2a581ddaa1626f1d52076696d5bdb1b3bdd6

SHA512
66e5590134d575af49c810979c35d6f6254226ec712e7413525b47bc15082aba904b9b475ce270586ed1f378e5efb5af5d8924f3e86451b44c96f70a59b65963

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-7b56ddc3755a46c6\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
ffe818bb675c441ae967cb0fb85b56d5

SHA1
d1ca6c9bff52d2249698919bc73462f2de2bb284

SHA256
b672e59bb345d12ebad37d174cfb2a581ddaa1626f1d52076696d5bdb1b3bdd6

SHA512
66e5590134d575af49c810979c35d6f6254226ec712e7413525b47bc15082aba904b9b475ce270586ed1f378e5efb5af5d8924f3e86451b44c96f70a59b65963

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
086870e94149b2b89532ef74229f82ed

SHA1
8dbee9bd7d65db5156bb3b2a7656f83a0929c936

SHA256
f51fc6276faa6ee3fdd6efff6d3e72c5c7921b52fee2774c343b7f258b7c8dac

SHA512
c0ce9a7194254c04c761adba8bd1ddb83a73bee56b3c23932a038f491ea9143cc42df0b682d463bf4863fa014d1bb6e9c0578def25ee3f8eb387a3d20b42e43d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
67d7a632e7c360ccf6bda92c1a0a5215

SHA1
85d68b6d023f1fca6bb16e720ea2bd358a9b6a24

SHA256
b4c083ba5e20bd7add894812793258104e379c33563bee94026f1394139bd5ee

SHA512
6d333b2e838efef5f411394488724d04825b403c45927038c88b1d0043fc2fce4aad9e35af60d9bb9502b76266816c47cb28c6a0f3387df5521c7f56412f7cb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
471B

MD5
bbb16a91df9dde2869871f861bc4353e

SHA1
0fe8c5580b6f0fa61ceeb0fb13723be089596e11

SHA256
1d990b6da4b7912f5d01e8ffa705fcc14269be6fdabdb746312646f7d72b96b1

SHA512
8299a7d3f35d6e56f8fb2f99d2735901377ec9c2e2b1ca6a75f4de70e43620b5a49ad370e82332a9fa5446911d58633b9dbdde3e3d15c8a6c998e5ee035c1a3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
3689549ead4597d685f8682ed9376063

SHA1
2ce756348032a7245fcd0c04896700ca36d1f78d

SHA256
3b7a0033055c6d92a525563c846af18cf77d98e5ac86fbc0dc8f096d497945df

SHA512
6b2706cbe148cce5546b04081fcc4423ab9284dfcbc457def37f64e9032950b553935142d01eb2c9c2c0554e960c3e28ce0fba9675c38578bd8d60ae45096ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
8e7bcf8d671dc540dc6ed0da2d8a5842

SHA1
d5da22763979da33ca327b2edec0fe99fe6f56f8

SHA256
dd8d260935125605843344d68c1ec16625edcb76a74063cf6f4c46e62a689e02

SHA512
db1f2ada4d5085e2f79de0999ed44f752ae626366ddf9bcb07ef8c285207da09b5defad7dece73544a67784df1804eb54d3638a0cec30deece492a3260293e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
d1e2178b9ce76ae97da5669801d2ea7d

SHA1
2bd21504e8591d819be910a944b53ac27e093009

SHA256
8a49bcb1c41f3939a6fc02710c0565d48ce4a1bfa3ae541ce9be8e52be691037

SHA512
5cc84d2bc401d2b84005c1e231b2db93a61dc06ced78cdfb61ebbbee9e24a71db078aea31a7db5a11a8e4debe0f1bfa28ab65251d1c4ccd4b3ddc9b90bcca757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
434B

MD5
d1def3032ec848cf6d1b499719328f50

SHA1
fb0463d7b92eab528e955d66b672a46a43376c6c

SHA256
cd0faadbddbe026ec404cf11032daf90d6f0498ce5ce6505ff17ad9aa1123826

SHA512
0c48b86de35582ca1a27fd34ce1644b7b4f3d51d048ae880ed765b1e6c01a3f0b8ffefe32633c4bf979f660e8295cb2982c57046bfbf14216728c205779d9231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
3a9fd780af187d63dc4bff02d691ceef

SHA1
b2eb39a2457ae51338b22a0e2252c610a1e339af

SHA256
5829585a1fd9077998d71cf63d51a7a4e5d0aa9accd5e6b5c474e05e8a757fe1

SHA512
d9f3a8a521eb6b74fc93b3bae971536c140255e6706a68ce74473accbafcb0c259c238e5b6739c06d5d74b46507da855aac3513bf66e081e04047ee35b36e795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\version-7b56ddc3755a46c6-rbxPkgManifest[1].txt

Filesize
1KB

MD5
89ccdf8b7f8065d61d3e4dd4517ae0c8

SHA1
bfbd1de1eee4f3a37e0f4769cc663e1df277f861

SHA256
86b3f1e3c48f05d8e73a8a8218661090824438cf3c17f2017134ab47c58fb725

SHA512
6905838e2e53dfda87029e95cd2c72d998d8009ecd49d4911df818dff7ba07d9be28873ba6b49f15ef4d974d11efb6cb0ea1abeea68707059d0b91aca9a530de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9YACFB9R\WindowsPlayer[1].json

Filesize
119B

MD5
4d97f0a252462876a77020f383f89095

SHA1
e518d6008945d34d420d219c02d260d99d138941

SHA256
f54594af7853726c5491706cdb16d7e34f354d7f56a03ead58d562bf69563da2

SHA512
ec5d636dbe37276677f9341aa23a6470cdc7126643f78ba886318a7c233ea48c0c560fcd3d7e90c10babcc62cb57a076bb4948667c407c240e22034add28655a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\PCClientBootstrapper[1].json

Filesize
2KB

MD5
826f79f27b751b56ba140343a7ef7b93

SHA1
2f6d9f22ba20f9fe6b1a51892a70e53ef8afc358

SHA256
1c8602639db221546be929229b249d10244cbd13a9016e9987886ba68142b1d8

SHA512
3cdd36567b6ba7f32aace1cb9a31830fc8b3c435fef7b7009d616370d91a90135c75edc064624bf34972ffb8be22b12b1e1e5e187208ac8223960501f11d1357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\WindowsPlayer[1].json

Filesize
119B

MD5
4d97f0a252462876a77020f383f89095

SHA1
e518d6008945d34d420d219c02d260d99d138941

SHA256
f54594af7853726c5491706cdb16d7e34f354d7f56a03ead58d562bf69563da2

SHA512
ec5d636dbe37276677f9341aa23a6470cdc7126643f78ba886318a7c233ea48c0c560fcd3d7e90c10babcc62cb57a076bb4948667c407c240e22034add28655a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\WindowsPlayer[1].json

Filesize
119B

MD5
4d97f0a252462876a77020f383f89095

SHA1
e518d6008945d34d420d219c02d260d99d138941

SHA256
f54594af7853726c5491706cdb16d7e34f354d7f56a03ead58d562bf69563da2

SHA512
ec5d636dbe37276677f9341aa23a6470cdc7126643f78ba886318a7c233ea48c0c560fcd3d7e90c10babcc62cb57a076bb4948667c407c240e22034add28655a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-7F2C4B65\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
ffe818bb675c441ae967cb0fb85b56d5

SHA1
d1ca6c9bff52d2249698919bc73462f2de2bb284

SHA256
b672e59bb345d12ebad37d174cfb2a581ddaa1626f1d52076696d5bdb1b3bdd6

SHA512
66e5590134d575af49c810979c35d6f6254226ec712e7413525b47bc15082aba904b9b475ce270586ed1f378e5efb5af5d8924f3e86451b44c96f70a59b65963

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-7F2C4B65\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
ffe818bb675c441ae967cb0fb85b56d5

SHA1
d1ca6c9bff52d2249698919bc73462f2de2bb284

SHA256
b672e59bb345d12ebad37d174cfb2a581ddaa1626f1d52076696d5bdb1b3bdd6

SHA512
66e5590134d575af49c810979c35d6f6254226ec712e7413525b47bc15082aba904b9b475ce270586ed1f378e5efb5af5d8924f3e86451b44c96f70a59b65963

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-7F2C4B65\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
ffe818bb675c441ae967cb0fb85b56d5

SHA1
d1ca6c9bff52d2249698919bc73462f2de2bb284

SHA256
b672e59bb345d12ebad37d174cfb2a581ddaa1626f1d52076696d5bdb1b3bdd6

SHA512
66e5590134d575af49c810979c35d6f6254226ec712e7413525b47bc15082aba904b9b475ce270586ed1f378e5efb5af5d8924f3e86451b44c96f70a59b65963

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
867999834d9ad2a2fab9d68aa063187e

SHA1
cfbcbba3455c4a9efedce6cb6f967eb8149f1d21

SHA256
e400c6916f19b20fbaff7626f37863649c87257a23fe060393c521f5fdaaa027

SHA512
f089c58427b5b8606c5495cb880e4b9e7a2d26559829facab24cc1e3ea07541dcf45892ca76a16b1743ae37d8c774fb94ebd9a9472cafa74e4c1a5a1c33bd442

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
867999834d9ad2a2fab9d68aa063187e

SHA1
cfbcbba3455c4a9efedce6cb6f967eb8149f1d21

SHA256
e400c6916f19b20fbaff7626f37863649c87257a23fe060393c521f5fdaaa027

SHA512
f089c58427b5b8606c5495cb880e4b9e7a2d26559829facab24cc1e3ea07541dcf45892ca76a16b1743ae37d8c774fb94ebd9a9472cafa74e4c1a5a1c33bd442

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/4416-296-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4416-295-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4416-297-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4416-298-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/4416-299-0x0000000000B90000-0x000000000636E000-memory.dmp

Filesize
87.9MB

Download
memory/4416-302-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/4416-294-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4416-293-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download