6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

Analysis

max time kernel
138s
max time network
124s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerLauncher.exe
Size

2.0MB
MD5

88e64ec3895db7e1dadeb7e28a149642
SHA1

b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c
SHA256

6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26
SHA512

f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb
SSDEEP

49152:GrihbF2YzW7juDDUrEC19YTl10auIyhhTxHMOPMQ3d2y7TMb64:84bF2P7jukrEWo1fbB

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe

Executes dropped EXE 2 IoCs

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

pid process

324 RobloxPlayerLauncher.exe
1920 RobloxPlayerLauncher.exe

Loads dropped DLL 14 IoCs

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

pid	process
1244	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops file in Program Files directory 64 IoCs

Processes:

RobloxPlayerLauncher.exe

description	ioc	process
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\React-9c8468d8-8a7220fd\React\None.roblox.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AppCommonLib\AppCommonLib\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\content\textures\StudioToolbox\DeleteButton.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\content\textures\StudioToolbox\AssetConfig\readyforsale.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\content\textures\ui\Settings\LeaveGame\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.4.2\LuauPolyfill\Timers\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\content\configs\DateTimeLocaleConfigs\zh-hant.json	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\PrettyFormat-edcba0e9-2.4.1\PrettyFormat\plugins\lib\markup.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\Symbol.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\ImageSet\ImageAtlas\img_set_2x_15.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\ReactRoblox.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\DomTestingLibrary\DomTestingLibrary\types\matches.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\llama\llama\equalObjects.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.3.4\LuauPolyfill\Number\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.4.2\LuauPolyfill\Promise.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\ProfileQRCode\Components\ProfileQRCodePage\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TnSAvatarIdentification\TnSAvatarIdentification\AvatarIdentification.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\installReducer\presenceActionAdaptor.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\RoactRodux.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\content\textures\ui\Motor.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\LuaProfileDeps\Roact.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\Shared-9c8468d8-8a7220fd\Shared\Type.roblox.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\Analytics\Formatters\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\PYMKCarousel\PYMKCarousel\Components\PYMKCarouselUserTile\PYMKCarouselUserTile.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppAssets\RobloxAppAssets\GetImageData.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SceneManagement\SceneManagement\calculateAdorneeProps.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\AppTempCommon\LuaApp\Actions\SetFriendCount.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\NetworkingUserSettings\NetworkingUserSettings\networkRequests\createGetUserSettingsMetadata.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\t.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\ProfileQRCode\Networking\useLoadingState.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\Utility\getUserInputEventData.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\JestMatcherUtils-edcba0e9-2.4.1\LuauPolyfill.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\rotriever.lock	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\GraphQL.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\2D-Collision-Matchers\2D-Collision-Matchers\insideAbove.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\luaUtils\stringIndexOf.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\DomTestingLibrary\DomTestingLibrary\__tests__\wait-for.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-201ca530-56b79d20\ExperienceChat\Timer.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\PermissionsProtocol\Promise.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\roblox_lumberyak-5fead8c7-0.1.1\lumberyak\MockLogger.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\Enums\PresenceTypes.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\JestCircus\JestCircus\circus\legacy-code-todo-rewrite\temporarySnapshotData.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.3.4\LuauPolyfill\String\trim.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\React-9c8468d8-8a7220fd\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsShared-9c8468d8-8a7220fd\ReactDevtoolsShared\devtools\views\Components\types.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\Requests\UsersGetThumbnail.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\content\textures\ui\Settings\Slider\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\language\blockString.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\FindFriendsModal\Components\ContactsImporterOverlay\ContactsImporterOverlayContainer.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Networking\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\content\textures\DeveloperFramework\checkbox_checked_dark.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\RoduxCall\RoduxCall\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RecordPlayback\RecordPlayback\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\roblox_rodux-presence\Cryo.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\Dev\Style.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\Expect-edcba0e9-2.4.1\JestSnapshot.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\RoactGamepad\RoactGamepad\InputBindingKind.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\JestReporters-edcba0e9-3.2.1\JestReporters\types.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\Events.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Template\DetailsPage\validateDetailsPageComponentList.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\ContactsList\Components\ContactsList\ContactsList.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\content\textures\ui\Menu\buttonBackground.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\ChatWindow\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\ExtraContent\LuaPackages\Packages\_Index\JestEach-edcba0e9-2.4.1\JestEach\init.lua	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

RobloxPlayerLauncher.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe

Modifies registry class 36 IoCs

Processes:

RobloxPlayerLauncher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-be30b823d3fc46a0\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-be30b823d3fc46a0\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-be30b823d3fc46a0\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-be30b823d3fc46a0\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-be30b823d3fc46a0\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-be30b823d3fc46a0\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RobloxPlayerLauncher.exe

pid	process
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe
324	RobloxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

description	pid	process	target process
PID 1244 wrote to memory of 1356	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 1356	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 1356	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 1356	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 1356	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 1356	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 1356	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 324	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 324	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 324	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 324	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 324	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 324	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 1244 wrote to memory of 324	1244	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 324 wrote to memory of 1920	324	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 324 wrote to memory of 1920	324	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 324 wrote to memory of 1920	324	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 324 wrote to memory of 1920	324	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 324 wrote to memory of 1920	324	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 324 wrote to memory of 1920	324	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe
PID 324 wrote to memory of 1920	324	RobloxPlayerLauncher.exe	RobloxPlayerLauncher.exe

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=142432bbee131ec1e680ff4280b83f65c7d4b91b --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5d0,0x5d4,0x5d8,0x5cc,0x5e0,0x660af4,0x660b04,0x660b14
2⤵
- Modifies system certificate store
PID:1356

C:\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
C:\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=b30562552e929b28b3892128001fd4fb6e2722a8 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5b4,0x5b8,0x5bc,0x584,0x5c4,0x55b480,0x55b490,0x55b4a0
3⤵
- Executes dropped EXE
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
Filesize
2.0MB

MD5
2c3024c6aec09f36db69877db35f8e4b

SHA1
b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

SHA256
ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

SHA512
f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize
2KB

MD5
76cdfa1e64786cf8a512565aa156d674

SHA1
c34fdc21105fbc45b3b7b2bdc56a22e3806b3b9d

SHA256
4d24972297733d46782d4bb9ec3095429d308ed0598508eedff9b6b73e49f909

SHA512
ce1266af7dc4661f200f33268adbdf57ce5454693068d966fd12066d2d9acc71b4338129564350a49effaefefbd25b8483391d63b0b870f1d5625e880279fb91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
1KB

MD5
afeb947700934e6495db2ef5ea714989

SHA1
04b3bf94f26b6721dbcc1a82bca036c02a911c49

SHA256
4f5e96a0e628ca7309c330d38643b917c965130949cef8fa342f2f478341f187

SHA512
ddf567306b9ea5439efc12896df20f05568694fd645641f98a1a156e58948e82fd06649a6f0f1ac37b176f5c52d99ddd25d72ec0d63c85ee8235b2c1a5e3bd70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_8188B0251A6967A35A03878927DFE701
Filesize
472B

MD5
ea599180805480f5f3c4a5aeaf9fa5ed

SHA1
3384c93bf6926b7141c269f9fe5a3b45ca6312dc

SHA256
57b2f1eb3795614be85f623ac1efbe436502c01c280a955f34e7b9725cafcbe2

SHA512
86a55bf900e39606afa9765d7f02c67f8ff88f12db14718f159f8d462590f30831ef621ff1dc6be6a57ae962fccf4eee78b6d318f784bc1c6622ba85b3a505b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
6a3b8331e801f083b403b0857ed8d574

SHA1
48d275731f1dbd0630d1ca55a1b05f149a011d1f

SHA256
98651a2da4a4613bc2a03c4128926fe6b05f1af8a7a21e1fedec75db013706a0

SHA512
7527b8857707c8822e4b7f5049ddc9b4c49933e68535690746d84b7f0187a10f36e874719bdb1bf3ba8b035568a7cbafd687b80c4621dc35552d73f7e497071d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
21ed9ca0f4579a63723066fab3cdb1e9

SHA1
625f8780cba0177fa7d9b747df0bd45511ddc900

SHA256
818a6653f6011a83d251998208826644fe68d228a739c87ec14e470e10817889

SHA512
203e8fa995dfd86617536e1fc445fa1fdfbc0ec462d238cfbfe1d03c81b51c81297335c4c54503070c25897858fbedd659c348ab994f9195635ff75a0f3ecda4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
71288df6e69e139111a733ad7b94866a

SHA1
9f756b5bdddb2eae7e7bf2678440117026ea8b54

SHA256
7441007a5974bcfdee443d0c1fe1c40d7e7f454fc0712501eb7abda978877837

SHA512
efab7742dd31b5397da0bf2940e9bb8de89702c39b6f062194caa33b31346ee646a3b4c622e9bc42b4ea9ed94772098476a5e87ccdfd8af0be58a7a153ffc9e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize
488B

MD5
2bc1c15c34d077c40879c9de62c85236

SHA1
ecee07f8deb21da40f5c0453cbff21123dae2f86

SHA256
e5468c20365caaca1cf4a34564ba3fdf5c21ccbbc2895d66ff179ab4ad3b2b68

SHA512
c8832967f4529e3e942bb4024b6e7b3c6e2e08287bc1fc1fc9c6bafc489154e60be821c0f7094128d8a76a7418181a28cf363f6f51807275d5072e5487db59ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
9c2853c496a69d4d6ac1b6e443779f58

SHA1
9a4b13738d92ecc97eab53668483f2e1b904ae71

SHA256
eea94f01fea29896d7c7a7eaab6aeb6b8c7847021822e900e60640bd1546c392

SHA512
a217fd96eb9026823163e13fb87af2896637933d5b86681a77f584112cb56651a9f1fc34b1a51388d12cc4d0bc42d53122971f606f881edaae70a0e26f2fbdcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_8188B0251A6967A35A03878927DFE701
Filesize
496B

MD5
fdda65e1f9ab5017b24d19a563a210b2

SHA1
1c077d8749586397b1747ed12fe4cfbe6c601186

SHA256
955b5e8380baa9e118ebbe400525dab2fb545abc6258a8774e1890be0863bb78

SHA512
62b388afc84c03a6c8624dbd21e646e51cab75b6185b0d23a56e2f25cff6e95099287b1a4917e5c351496e50dac172fb8a18fe3f594cc9cb59d6f6a51f431785

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a17aca6b6cb5d5f9612b09ec2985cc38

SHA1
a6d31f0f507fe90f412b8ae1d475f0413376c573

SHA256
9cff397485f74af9004583b5b594279263a8f694493281a97081b4481d795b1c

SHA512
a53142e14457dc5f0d6d5c15dea0642124bc16246cd18ab720635e8ad406ab196376b193b04a56a312674209f95bce62898f58bad2068925743ca8f9c1425e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d94d2f2051918a15ea415f08b27fa414

SHA1
b12881cd9d77c47825b69290ee52f80ddffc0d38

SHA256
0af26f43817c8c37789de1817b40a053bee239f757f955fd0d0af7940a6a5b10

SHA512
ebcea1b7153b86ef043e061dac22fa082cc18b21db6449e872098a8573d0cd83812265dca9956e56f7506d918cdb3f3c516e0cc4a56fdbc275fafc4ddea6728e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
11d335b38628c8076590d81ecaa69f49

SHA1
55c8739d52765e209d11130c405a39b565db1f4b

SHA256
b9b4608849780d4d33262e262d96228b411c3712e2ce8f4a6477626feaa90956

SHA512
27c9a9463df971841aa7540a55b478c28125a82dde5dfdd524843265c6deaf0b83badb2193dd18cddfb131d31a91162eb8c31c1d4d325a5129cd5c26244186d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
669f0ad3b5c4dfd5a64c7b9e61e87c0c

SHA1
612a6625a1fc7dfb59644d46ea7a2fb8672e6cac

SHA256
c226ea71e5f2af31e4d700b00d425dd27a0e239dd26dc9bf0e23418d92ee6f37

SHA512
d93a743c4bfcb6b1edb412405d9cddaf5667fcdbd306832f4cb91878291ff078c8053f433f24b739e4b4981a2d18e727e97d37a7b92692136cfd0eb3302b83e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2b181c978edc5d07fed83efbc5dace3c

SHA1
bd1a1862d4df10f921b293bb50c58277386a3e4e

SHA256
263653d8bc74d64687f5f9d82e0e9825590ae1febe0f6fc2b2588c692676ce2f

SHA512
24405910bb66250ece1983518bb26b17be7a0f5457ea9e9a07014b7ffb99c4aad4948fe2b29206425cc4a8f1c473904bbd8aa5a9f81e4ab3c26655e98b9f3de1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c97673c53585606ed2704d84c6a8e1c1

SHA1
6c08122bcc33dac00a74f81b7fafa146ee17d507

SHA256
83312c41b8514bfab7d04b1211ad4f25c7e6238466f4502a0c793a6832db3caf

SHA512
154d76fdd1d60344da25b2a0b0e6aaf39d731c3f22b5eebf6bba10d226a3c2efc11f6dfdd5d74f5d55c0b6434c2eb33a26b35c867be0370f873ddb3ff7ddf97c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
183ec2ad0f361adf461491b21315dc59

SHA1
0b30b0339e3b82c6e608622b2961fcaea27f7828

SHA256
ae6ff67d9e30f747e0c3cb55b6211e04345a730925ae8414998c110f4f54a3e6

SHA512
6f8e030a44ce32eee19ea58cc55c44d750b8cbacd10e1a6f03f4be02553c5b685d7f12c295db8a99dae84fa23bcc1b695851bb3358002ffe8e013cb05d03a63b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
953d7c2d599ba1581b6c2d54a6e891e0

SHA1
626581e546dc09151ec008f03b0025fe35b6dd0a

SHA256
f5b5482efdaf281bebb98f18a78092d0ff7380c35aca0afac616d514d6bf74fe

SHA512
5af40fa6e57f73eed2e4c1f3251e055f3423e90b9c3990a552d274c74357a6f4c552124bbc274347dacf1e5fc07a59e18f119818ba9c6906321825de07415d76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
2c22694187c11fb12ba44c706d7b6ada

SHA1
854c642c63b85a3211f267681e60f9cf78d3041f

SHA256
cb95c5028a4e14a7531590504967b6f8c274887f1793678ad833b60c83c2086d

SHA512
252fa667c7669b69ad50b02e2c8c1dbe866e976eb93833682f45e25d34ab5d3c3ce9e2e1127ffed9fb3ac89ac3f183e580ac514b670b147562dbafafa8b42b99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
22bc931e4444dbc6988ec1307656e630

SHA1
dec6c36044d79027879c337a288615aafc294c29

SHA256
430fca713ddc4652806b92f6634876bce4801b3a5a4bd81d59f53024feb8cf19

SHA512
7620c663162725766dc4dad9721bde9f12c865aafa92d1b8a0cd45557dae4d91b5db23111682716c10ddadcab77c1639649327b2dd596842bb8033633da00e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4D33E1QE\WindowsPlayer[2].json
Filesize
119B

MD5
8e7e1124df5cb13bde562332564be4a4

SHA1
37314dc17a1a5635581abbaedff6ab677469a334

SHA256
fca98f982f815aaa96f89bb30515e35e5dde746fcd175fe987d5d885d0a8b4b0

SHA512
2f16df7776ff2d8e3ec1288ecc9f333553e875c2040f83677a1ca0b6f0ad664b957a0a71001f11cd5721a13c1b0a38e1cce29239c772ced1b9ca689b474b1d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\PCClientBootstrapper[1].json
Filesize
2KB

MD5
98829de48b76b3fef50cc5945df07982

SHA1
1e42e241def41819b8edc0db1fe8fb41d438d40b

SHA256
2a8e8d412afe68f2bb61d45e35238caa5656e7b664c2eae31891f0a540a6f727

SHA512
0a20bfbede0707e678e4204d2ed0f4a8eb0c2221b4053aae98370843d96f90ba496756e51d41ce573d8cece97a60ea62c4470750a1b03dd5c25da1a9db293b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\BatchIncrement[3].json
Filesize
163B

MD5
bedbf7d7d69748886e9b48f45c75fbbe

SHA1
aa0789d89bfbd44ca1bffe83851af95b6afb012c

SHA256
b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

SHA512
7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\WindowsPlayer[1].json
Filesize
119B

MD5
8e7e1124df5cb13bde562332564be4a4

SHA1
37314dc17a1a5635581abbaedff6ab677469a334

SHA256
fca98f982f815aaa96f89bb30515e35e5dde746fcd175fe987d5d885d0a8b4b0

SHA512
2f16df7776ff2d8e3ec1288ecc9f333553e875c2040f83677a1ca0b6f0ad664b957a0a71001f11cd5721a13c1b0a38e1cce29239c772ced1b9ca689b474b1d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TF0W5LQL\version-be30b823d3fc46a0-rbxPkgManifest[1].txt
Filesize
1KB

MD5
5e596a21c9d7f8853210c9fe663f7692

SHA1
8616e612cb6a03b38cdecbbd5e501f1f6165bc7c

SHA256
99c051dda1bae6f9b7d4a5ca411577ed77c354b7004513005406a113d91e0d67

SHA512
46c28501905650364ab18d6cbcbcda2a291c3a4850d5c5137278beacfd1436dbf495942491da057751910bbd3046e810503fee7cb2cf8003e0622ad4b7fcb9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab32B5.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab347B.tmp
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3364.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar34A0.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
Filesize
40B

MD5
330576f1b325fde18a9ddef12bbb4443

SHA1
86eacd0705af615144127663e3b7936d7be2b325

SHA256
62215b12d9309fe152c245326de2023762fbd521c561c00a71a469d9bceef02b

SHA512
5e8e22a37221de291378e5a8c8f6e9f76b75ec1406f0de3ecd0b33f7c0645116454cd6fe0013723b4d14f42128caab055476d3f152f77422f1ec90d7e736cd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UXA7WQ16.txt
Filesize
68B

MD5
1e72cf4980442d8175c8b68f94c29927

SHA1
c2b17c2d297bc6689d2f95b863cc2d073c21973a

SHA256
f7ed690b4287fbd349d92920435ab7e4a766f290270f54cbb0c0d716f168c114

SHA512
f91525233afea7a0ad6093df3cad2ff25cd3e5c5c2994fc649c635e3f9050142d1f9b4832553244ebe95868c2496ed719594205f4f0c3dc7cb4d64a6d37e877d

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
Filesize
2.0MB

MD5
2c3024c6aec09f36db69877db35f8e4b

SHA1
b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

SHA256
ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

SHA512
f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
Filesize
2.0MB

MD5
2c3024c6aec09f36db69877db35f8e4b

SHA1
b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

SHA256
ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

SHA512
f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
Filesize
2.0MB

MD5
2c3024c6aec09f36db69877db35f8e4b

SHA1
b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

SHA256
ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

SHA512
f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

Download Submit
\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\RobloxPlayerBeta.exe
Filesize
58.0MB

MD5
cd199f81c3a2cbdbf8ede573d6c19013

SHA1
f0fb145f124ac1d299a34ca7efaf98eb946718e1

SHA256
87da9bc3377e4503712a5fa01f1b4560effd3908cf25257f9c639ea671b34a78

SHA512
f06dde6f9ea5bf11d876b117a33f46a8ae5a22ecdf8fc768af4d975b626661e89ca7a866585131b1c4289a2038e8bccd28dee13b570ab4c37e1eef7ee037b08d

Download Submit
\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\RobloxPlayerBeta.exe
Filesize
58.0MB

MD5
cd199f81c3a2cbdbf8ede573d6c19013

SHA1
f0fb145f124ac1d299a34ca7efaf98eb946718e1

SHA256
87da9bc3377e4503712a5fa01f1b4560effd3908cf25257f9c639ea671b34a78

SHA512
f06dde6f9ea5bf11d876b117a33f46a8ae5a22ecdf8fc768af4d975b626661e89ca7a866585131b1c4289a2038e8bccd28dee13b570ab4c37e1eef7ee037b08d

Download Submit
\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit
\Users\Admin\AppData\Local\Temp\RBX-552D243A\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
6b68f3be3850e9b2ac03bad9f4de5b88

SHA1
57c59090e38d6e0128874ed93f53a4e3c65ee47b

SHA256
159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

SHA512
de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

Download Submit