a9cd3d966d453afd424d9ac54df414b80073bb51d249f4089185976fb316e254

Analysis

max time kernel
187s
max time network
467s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-04-2023 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

8^/10

bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exeRobloxPlayerBeta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	RobloxPlayerBeta.exe

Executes dropped EXE 12 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeRobloxPlayerLauncher.exeRobloxPlayerLauncher.exeRobloxPlayerLauncher.exeRobloxPlayerLauncher.exeRobloxPlayerBeta.exe

pid	process
616	MEMZ.exe
1476	MEMZ.exe
680	MEMZ.exe
1792	MEMZ.exe
1484	MEMZ.exe
1508	MEMZ.exe
1608	MEMZ.exe
2312	RobloxPlayerLauncher.exe
1984	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
2324	RobloxPlayerLauncher.exe
2516	RobloxPlayerBeta.exe

Loads dropped DLL 28 IoCs

Processes:

MEMZ.exeRobloxPlayerLauncher.exeRobloxPlayerLauncher.exeRobloxPlayerBeta.exe

pid	process
616	MEMZ.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
2312	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
3044	RobloxPlayerLauncher.exe
2516	RobloxPlayerBeta.exe
2516	RobloxPlayerBeta.exe
2516	RobloxPlayerBeta.exe
2516	RobloxPlayerBeta.exe
2516	RobloxPlayerBeta.exe
2516	RobloxPlayerBeta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Program Files directory 64 IoCs

Processes:

RobloxPlayerLauncher.exe

description	ioc	process
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\RoduxAliases-4b477b13-e5753ce1\RoduxAliases\getDeepValue.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Utility\ExternalEventConnection.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Localization\Localization\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\content\textures\StudioToolbox\Animation.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\JestReporters-edcba0e9-3.2.1\JestReporters\types.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\rodux-networking\rodux-networking\makeActionCreator.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Utility\bind.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\enumerate\enumerate\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\ProfileQRCode\Networking\setupCreateOrGetProfileShareUrl.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\DiscoverabilityModal.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\textures\ui\LuaChat\icons\ic-notification@2x.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\RobloxRequests\RobloxRequests\lib\nocasetable.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\textures\ui\LuaApp\ExternalSite\youtube.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\forks\ReactFiberHostConfig.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\content\textures\DeveloperFramework\slider_knob.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\utilities\valueFromAST.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\Commands\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\RoactAppExperiment\t.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-2.4.1\JestGetType.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-3.2.1\RobloxShared\RobloxApiDump.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Slider\TwoKnobSystemSlider.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\UnitTestHelpers\UnitTestHelpers\withMockLocalization.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-201ca530-56b79d20\ExperienceChat\Commands\RBXConsoleCommand.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\Actions\LocalCharacterLoaded.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-201ca530-56b79d20\ExperienceChat\GetNameColor.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\type\scalars.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-12e911c4-90b08185\LuauPolyfill\Object\is.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Bar\BarConstants.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\UnitTestHelpers\MockContentProvider.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\AppCommonLib\AppCommonLib\Signal.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\content\textures\FaceControlsEditor\checkbox_unchecked.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\content\textures\ui\VoiceChat\SpeakerLight\Error.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\ContactsList\Components\ContactsList\ContactsListMapStateToProps.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\Components\EventHostName.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\Actions\VoiceParticipantAdded.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\installReducer\Players\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\execution\execute.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\textures\ui\LuaApp\graphic\gradient_0_100@3x.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\installReducer\friendsRecommendationsBySouceAdaptor.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppLocales\RobloxAppLocales\Locales\et-ee.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\content\textures\ui\LegacyRbxGui\Asphalt.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\content\textures\ui\ScreenshotHud\Close@2x.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\textures\ui\LuaChat\icons\ic-notification@3x.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\RoactRodux\RoactRodux\StoreProvider.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialChatToast\SocialChatToast\ToastReducer.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\ChatInput\UI\ChatInputBar\ChatInputBar.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\JestDiff-edcba0e9-2.4.1\ChalkLua.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\PlatformContent\pc\textures\metal\normal.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\Actions\ChatWindowConfigurationEnabled.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-0ba25b72-b001fcbe\RoduxFriends\Selectors\getSortedByRankRecommendations.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\PermissionsProtocol.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\content\textures\AnimationEditor\button_zoom_default_left@2x.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\content\textures\ui\VoiceChat\SpeakerLight\Unmuted0.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\Events\ChatTopBarButtonActivated.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\ReactFocusNavigation\ReactFocusNavigation\useEventHandlerMap.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\RoactAppExperiment\Cryo.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\Shared-a406e214-4230f473\Shared\ReactFiberHostConfig\WithNoTestSelectors.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Control\HorizontalNav\ScrollingListWithArrowsAndGradient.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\Style\Validator\validateTheme.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\PolicyProvider.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\enumerate.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\AddFriends\AddFriendsSectionHeaderFrame\init.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\ExtraContent\LuaPackages\Packages\_Index\Util-96003ad7-0.7.0\lock.toml	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeRobloxPlayerLauncher.exeRobloxPlayerBeta.exeRobloxPlayerLauncher.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09EFBE41-D0A7-11ED-AAC7-CED2106B5FC8} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ce43e5b364d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000dc0f342674f56a0f531a63d4115b3fb9029119474e23acfd8b1773a89be7da89000000000e8000000002000020000000c0ac8d34389ed733719e9e762d05a306a74a96e1a7a610d1cfca612f51bd1f2390000000ebe90ff4f246de63172d01e91a128b3ed918ee683c36cb9ea0a1b780992f0bc488a8e13e23996ab2efbc5b6cd218ef3061826c0bf0be3cd92d6765d8c2ba85b5ab11a04d1f70894fbe88a748efb440d9df5191ec5fcbd5a83ef0534578c31265b54f7164ff5f644a2bcc66ac9e02835ebf74ddfa2df0da9b27dda48a59db90ef61ff88a755fc5f485eb97290093e3ae54000000002933ee27fc391dc39baa6817dc62ca4f82d08454aa7346c9aa7c2629c606bf8a7ff0f6101075fe1f57476a8221c43f5f55c317c86c858488d36bbc2e4c28caf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	RobloxPlayerBeta.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\RobloxPlayerBeta.exe = "11000"	RobloxPlayerBeta.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	RobloxPlayerBeta.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca000000000200000000001066000000010000200000009178715ca338ddbb4ae8f422bcc8cad3b3cdc12c422737cb706582dbe0e6c997000000000e80000000020000200000000205a6a2e1d2bca3d7f98d90ad95301ad5f5b16f4f1970bcd8f6921173240a9920000000aa919cc1c6d7c909f2caccbdaca20e1b2d91358289e6987118b13d24418eb814400000008aa3fdbc7d1120122b3a0c6ae88c9be01ea139b592fd2adad2d40ecea516655612309667a3ec5b780b376513e17f750c5d54c7ec14d309afa89972e08d96b0ae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	RobloxPlayerBeta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	RobloxPlayerBeta.exe

Modifies registry class 50 IoCs

Processes:

RobloxPlayerLauncher.exeRobloxPlayerLauncher.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-b7209bbd7dd04d17\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-b7209bbd7dd04d17\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-b7209bbd7dd04d17\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-b7209bbd7dd04d17\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-b7209bbd7dd04d17\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-b7209bbd7dd04d17\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-b7209bbd7dd04d17\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-b7209bbd7dd04d17\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RobloxPlayerLauncher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	RobloxPlayerLauncher.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

616 MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exechrome.exe

pid	process
1476	MEMZ.exe
1792	MEMZ.exe
1508	MEMZ.exe
680	MEMZ.exe
1484	MEMZ.exe
1476	MEMZ.exe
1792	MEMZ.exe
1508	MEMZ.exe
680	MEMZ.exe
1484	MEMZ.exe
1476	MEMZ.exe
1792	MEMZ.exe
1508	MEMZ.exe
1484	MEMZ.exe
680	MEMZ.exe
1476	MEMZ.exe
1792	MEMZ.exe
1508	MEMZ.exe
1484	MEMZ.exe
680	MEMZ.exe
1476	MEMZ.exe
1508	MEMZ.exe
680	MEMZ.exe
1792	MEMZ.exe
1484	MEMZ.exe
1508	MEMZ.exe
1792	MEMZ.exe
1476	MEMZ.exe
680	MEMZ.exe
1484	MEMZ.exe
1508	MEMZ.exe
1476	MEMZ.exe
1792	MEMZ.exe
1484	MEMZ.exe
680	MEMZ.exe
1484	MEMZ.exe
1508	MEMZ.exe
1476	MEMZ.exe
1792	MEMZ.exe
1528	chrome.exe
1528	chrome.exe
680	MEMZ.exe
1508	MEMZ.exe
1476	MEMZ.exe
1792	MEMZ.exe
1484	MEMZ.exe
680	MEMZ.exe
1476	MEMZ.exe
1484	MEMZ.exe
1792	MEMZ.exe
1508	MEMZ.exe
680	MEMZ.exe
1476	MEMZ.exe
1508	MEMZ.exe
1792	MEMZ.exe
1484	MEMZ.exe
680	MEMZ.exe
1508	MEMZ.exe
1476	MEMZ.exe
1484	MEMZ.exe
1792	MEMZ.exe
680	MEMZ.exe
1508	MEMZ.exe
1476	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

cscript.exechrome.exe

pid	process
812	cscript.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXEMEMZ.exe

pid process

2636 iexplore.exe
2636 iexplore.exe
2764 IEXPLORE.EXE
2764 IEXPLORE.EXE
1608 MEMZ.exe

pid	process
2636	iexplore.exe
2636	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
1608	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exechrome.exe

description	pid	process	target process
PID 820 wrote to memory of 812	820	cmd.exe	cscript.exe
PID 820 wrote to memory of 812	820	cmd.exe	cscript.exe
PID 820 wrote to memory of 812	820	cmd.exe	cscript.exe
PID 820 wrote to memory of 616	820	cmd.exe	MEMZ.exe
PID 820 wrote to memory of 616	820	cmd.exe	MEMZ.exe
PID 820 wrote to memory of 616	820	cmd.exe	MEMZ.exe
PID 820 wrote to memory of 616	820	cmd.exe	MEMZ.exe
PID 616 wrote to memory of 1476	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1476	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1476	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1476	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 680	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 680	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 680	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 680	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1792	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1792	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1792	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1792	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1484	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1484	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1484	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1484	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1508	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1508	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1508	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1508	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1608	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1608	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1608	616	MEMZ.exe	MEMZ.exe
PID 616 wrote to memory of 1608	616	MEMZ.exe	MEMZ.exe
PID 1608 wrote to memory of 1860	1608	MEMZ.exe	notepad.exe
PID 1608 wrote to memory of 1860	1608	MEMZ.exe	notepad.exe
PID 1608 wrote to memory of 1860	1608	MEMZ.exe	notepad.exe
PID 1608 wrote to memory of 1860	1608	MEMZ.exe	notepad.exe
PID 1528 wrote to memory of 1280	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1280	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1280	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe
PID 1528 wrote to memory of 1644	1528	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:812

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:616

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+remove+memz+trojan+virus
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fc9758,0x7fef6fc9768,0x7fef6fc9778
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1220 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:2
2⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:1
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2160 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:1
2⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1004 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:2
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2496 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:1
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2516 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4188 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:1
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2284 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:1
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3460 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:1
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4892 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4920 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5108 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2276 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:2796

C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
"C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
PID:2312

C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=6867c2d3365d29f9b40f61bb5c51a4bc7df908c0 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5d8,0x5dc,0x5e0,0x5b4,0x5e8,0x139b480,0x139b490,0x139b4a0
3⤵
- Executes dropped EXE
PID:1984

C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe
"C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe" roblox-player:1+launchmode:play+gameinfo:mhb6Q5dhaEjkLyTV2pL3vofBf4mpaASjzZ3HUbyUeRmY-6Ch0LQQoU-grNEBp3TSGOUkBObdmVj61YM9NobmcY_U9gz8n5Rj8vL4bJL3ShO9PpaiYm4zr2WBmP4pHbHSOQH3fiHMbA6OXZt5xRnRHNbmCLt10ayccDUhHsWgibU4shpCjoYGKRgySZHYAgxDO2YY2y8BKGCwHTzJ7c1rU52R52HH25F0hhFFMju9114+launchtime:1680365192117+placelauncherurl:https%3A%2F%2Fassetgame.roblox.com%2Fgame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D167732842934%26placeId%3D4924922222%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3D7e590a44-2887-4af2-ab3a-a4f9e893038a%26joinAttemptOrigin%3DPlayButton+browsertrackerid:167732842934+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
PID:3044

C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe
"C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=6867c2d3365d29f9b40f61bb5c51a4bc7df908c0 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5b8,0x5bc,0x5c0,0x58c,0x5cc,0xbfb480,0xbfb490,0xbfb4a0
3⤵
- Executes dropped EXE
PID:2324

C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerBeta.exe" --app -t mhb6Q5dhaEjkLyTV2pL3vofBf4mpaASjzZ3HUbyUeRmY-6Ch0LQQoU-grNEBp3TSGOUkBObdmVj61YM9NobmcY_U9gz8n5Rj8vL4bJL3ShO9PpaiYm4zr2WBmP4pHbHSOQH3fiHMbA6OXZt5xRnRHNbmCLt10ayccDUhHsWgibU4shpCjoYGKRgySZHYAgxDO2YY2y8BKGCwHTzJ7c1rU52R52HH25F0hhFFMju9114 -j https://assetgame.roblox.com/game/PlaceLauncher.ashx?request=RequestGame&browserTrackerId=167732842934&placeId=4924922222&isPlayTogetherGame=false&joinAttemptId=7e590a44-2887-4af2-ab3a-a4f9e893038a&joinAttemptOrigin=PlayButton -b 167732842934 --launchtime=1680365192117 --rloc en_us --gloc en_us
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:8
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1188 --field-trial-handle=1280,i,13252610952021902014,3969735607588636859,131072 /prefetch:1
2⤵
PID:3860

C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe
"C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe" roblox-player:1+launchmode:play+gameinfo:-XlGxJh5x8_f3zLC70mJEOL8p8m9tVu5z4k_URzFnkUbLR15NFU--MyfaTX47F9gqMHtKyg-r3BLt7xGD5axeuryhoX4Jf4RoI6cJhk3nmzrATL-g3Enmgcu-giJY1esf6wjKAsn2uV6LAIdStikfyu_ZupepmEM5ycDpwVP5xgsMxBGvJ3bfbC4IgdfM2u4yQQFo7gr452W7XIgtyd1hd2SJ0Ne0CrBuMwHtLlvs6s+launchtime:1680365449834+placelauncherurl:https%3A%2F%2Fassetgame.roblox.com%2Fgame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D167732842934%26placeId%3D4924922222%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3Dc404c870-98fa-40dc-97f1-e0a9174829f8%26joinAttemptOrigin%3DPlayButton+browsertrackerid:167732842934+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp
2⤵
PID:3924

C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe
"C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=6867c2d3365d29f9b40f61bb5c51a4bc7df908c0 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5ac,0x5b0,0x5b4,0x588,0x5c8,0xbfb480,0xbfb490,0xbfb4a0
3⤵
PID:4048

C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerBeta.exe" --app -t -XlGxJh5x8_f3zLC70mJEOL8p8m9tVu5z4k_URzFnkUbLR15NFU--MyfaTX47F9gqMHtKyg-r3BLt7xGD5axeuryhoX4Jf4RoI6cJhk3nmzrATL-g3Enmgcu-giJY1esf6wjKAsn2uV6LAIdStikfyu_ZupepmEM5ycDpwVP5xgsMxBGvJ3bfbC4IgdfM2u4yQQFo7gr452W7XIgtyd1hd2SJ0Ne0CrBuMwHtLlvs6s -j https://assetgame.roblox.com/game/PlaceLauncher.ashx?request=RequestGame&browserTrackerId=167732842934&placeId=4924922222&isPlayTogetherGame=false&joinAttemptId=c404c870-98fa-40dc-97f1-e0a9174829f8&joinAttemptOrigin=PlayButton -b 167732842934 --launchtime=1680365449834 --rloc en_us --gloc en_us
3⤵
PID:1192

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1e0
1⤵
PID:1724

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1368

C:\Windows\system32\dxdiag.exe
"C:\Windows\system32\dxdiag.exe"
1⤵
PID:3892

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\SysWOW64\dxdiag.exe"
2⤵
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
Filesize
2.0MB

MD5
2c3024c6aec09f36db69877db35f8e4b

SHA1
b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

SHA256
ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

SHA512
f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
1KB

MD5
9bf77ce85a5a981d86a0f7a4672ba22b

SHA1
62fb7e9f8b763de11a63a156c847e7df4dde7fad

SHA256
44ed3a7243fe9995a4439683d11971670eb00101c3832ad30db5242560b2b354

SHA512
2ead42546c80b3dbb87ac93f1324c85fc0bfed5a7c51a1217993c18d43886a9e7580a80ba9a2b6ec4c7eefd23d274fce561845ab508b427afc906ad594f58e68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
f38abed7c0362f77808f7e0c5aedc8df

SHA1
05a2c55fb82ad1d549eb808aad79afcad8d435e9

SHA256
8f39ee855dfc4b0a19406c5a3109222cf09fe1abf3a56577e8d0eb29fecc9c20

SHA512
61c03bb4556d0232eb0f2311cbe8391958e8cf7b5c7c111851ec30ea883881a4d853536d05a29e2c19bacda9a4f34434279af7548bde15b9cb2850170e9b0b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
21ed9ca0f4579a63723066fab3cdb1e9

SHA1
625f8780cba0177fa7d9b747df0bd45511ddc900

SHA256
818a6653f6011a83d251998208826644fe68d228a739c87ec14e470e10817889

SHA512
203e8fa995dfd86617536e1fc445fa1fdfbc0ec462d238cfbfe1d03c81b51c81297335c4c54503070c25897858fbedd659c348ab994f9195635ff75a0f3ecda4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
0cc22a011ccaaebc8d6e46ebb016a84e

SHA1
0ef4e417095e7a31d5a6d24fd9b098886185f274

SHA256
308735064ff38c7fd32d09fa073f491b50d25b2dcf542a66d59b5adf5e64944d

SHA512
4f44bc1d97d34c12a603dfe12ec4317d6509e725a82ba9b94212687acd45e838d9d0c0b3b52ae23d927a173876eea6d84abe1c6df96b6ae96170488967933caf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
9f16c66f74276302a65d3d6ddf59a3c5

SHA1
2aabde76cc3cd900707890f17dbd915f976f88e9

SHA256
69444bbaea0778b789c887f964fb1c01eb94e82395f17d54c597c048d1dd16d8

SHA512
7a8ae5f75efe7e7c236e87bd65f326ec6797c0141dc336a3f5fecf2602350071cbd4fc9e1bb51ab842d7be33056705826ad21198cc46d5c9296e4e9714e73f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
015ba7f1e694cae0b17b039e42339852

SHA1
15bcc526a7cb742cd6cd3e07a3a83864971d47f6

SHA256
42830bd4354a91f2225353e0669032a78e916402c332dac1e7b0d02dc513659a

SHA512
e161b74c3462df11d14b95511efb2414775f6ead07d939c90c0c66e2929ee6d67b54a37396a3c029c1a792fb6800e5160563da0b5146e781d47c8f3c89e5d3b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
924c2cd6554e63904a77d0ff1173c34b

SHA1
3ace5a43674c6c85cc658a0fbd92ba01ec2fe03d

SHA256
84437410d210531ca3697303b46873e373a3865293cf1bbaad744a6d6a5a0888

SHA512
6a4bad3bb424523397c673e5f8842d583e502c8a54e1918c0e62eef056a9cb73d105f5df1b6987b77e590fa9d029656cb2931909283d4b3fbf763296e04ef263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
aa7c0dc533c320bd8794ef6a8d65eb9c

SHA1
cfde772aecd531c898c9d25a2c71e40571a76b9e

SHA256
6aa1f74b8042410c864f3795db043c753a5383d3ceab77a250411524a291782d

SHA512
c7358f6ad619a78f53ae05775dff8ae009d07509f0c024ff38fae77ca9b5c1b89af5e9253e6b134efe0efeec218052eab7abad0bd29ae376c58499c3f81057c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
3ec06c3774509d5a3e4c9e61164fa3e0

SHA1
6eabaaa1302f75771da6f23fbb26c9edf0ab35cc

SHA256
75188b253fb88a3cdd4cbf716f5e57b2d70ce7158e8fac7bd58f1b3f352f1992

SHA512
f96c8c92b58194d896848719a99a7f5ef8e56b6267aea4e0f0f5dd8c42efaaffcebd6c41188a1e9e1c94e4598c699a0a8c4ca7ca7e26f7b7aa4c229a0c0bfc91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
67db34c946b299ff2d7fa4ec6f5c2315

SHA1
e206c1517c48d712e1649a67afd0bcdabe740c38

SHA256
667559a843d3f06a100486085721ca93312e5f25ec3f186494ee6ca532b3760a

SHA512
0b9dd46b2ff7594c082c89277fe372ed2a56e0b717b8731177b2beb925fc3680d937aad0782aefb3467d6c56df3cfd753576dacd0887225eb5dedcf7c5530a11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
a5be6522706cdbb9a3e6adf972bd92fd

SHA1
d24f5d8869698a4955d8ac526cccf6803df49d56

SHA256
2be072c7f8e17f1eefe097fc197b23df9e080cb85403e8afea91bf5eacb15080

SHA512
263614aad9ea43cf37414746267ef68042a6c2535886edb5ac01c58856501e86eec69e885a901789232b268187c83b2670dcd916101a6a73006bb9facee209f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
427dae877933be15a98c9dc5ebaa3dbf

SHA1
5014e007e68d1f2e54e61237d166a69d585ea2dd

SHA256
d80a2839a59fdf26312f9f177d1f8c7fddbbb57c84a2d3a1743d04c5104b70ca

SHA512
add52d73a370679ffaf9b0c79e9926eb8d23500387026f8cb3df82bf86401128104ec213c4db33b7955da4b7baf26ac393dd835c4c6e67b19fd606745ff01d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
eb266ba7804430334f96c8fb311228a2

SHA1
d9457a1da471f0109ef78f5817363ab299da1ef8

SHA256
620614058253c778ec606d5e5605d59b35fa5b905b381a38c6bba295d5468bc0

SHA512
e29c3bb1fd6787e32073df2fde1f8d83e0c43031bfec813e7388aef936b90ce9bb30865752c2014cd4d115f42518bc964df6ec659d5d083472f5aad812656d8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
15ec116cd764f9475be677c5cef81e01

SHA1
242c1737ea0b691f19009d9bc9ab2098eff14e03

SHA256
82562c18b30ce9facdf32a04ec719c1ee6f3664fbd939da3f286fb2a7c811f2c

SHA512
109cd63788f459ce2caa147f73ea7b19f1b51d348c9e8847fc40d6a535287aed5f720d96ff163e6b6a7c01390adb0a25d5815f79e3b0ac2b73394eec9781040d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
61800ed5f20c1e0b84bf436dd75d9a9f

SHA1
b13f2698944c4c899636359755bf9fd0a3cae215

SHA256
dacfa8b740c9dab0a7fff5270e5ca18837ccc2da855b5b22f0cbef26a53f5a22

SHA512
201866bdffbd78f4ee0ffcff6faec7669334f4e94587d53757e3481e89ab2723b723947869bfc11959965b6ee0a42c1aa708441181e374a4ebfc972cae54d20c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
f2150d0aee496fef0b69d8a78f3172f1

SHA1
cd5cc8016fbb6373afcae6fc4614e0b74514e707

SHA256
3a94bdcf37f72041356135e0f3e8ba4679ee4dc8ca72d64430d0fcf0c9f7877d

SHA512
0828eb62e8b1c41c603a22c0a15b2e0ed2d957e1ac028fe51c3de6bc6f4c955e93b9e05a11cf025fa08f43dcaf42704ddbd087f650e1f6499eff8043f13a9b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
a52697a9687f593acd9441c83b798df2

SHA1
73296de34bfe8b156bb258200404a6affae0de0e

SHA256
2768743a1e14581601e1b9f4a138b9270c0b530f0511286f0c4040e12cf89b86

SHA512
a8d3a7d7a757b773f989a9fcd23d75812b71c94f476d58d35b6f8ca3d20a5b822ce3220130b8b772e6e37e6b657ad18a09f8920193216859c86e32d2a6e2efd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
a52697a9687f593acd9441c83b798df2

SHA1
73296de34bfe8b156bb258200404a6affae0de0e

SHA256
2768743a1e14581601e1b9f4a138b9270c0b530f0511286f0c4040e12cf89b86

SHA512
a8d3a7d7a757b773f989a9fcd23d75812b71c94f476d58d35b6f8ca3d20a5b822ce3220130b8b772e6e37e6b657ad18a09f8920193216859c86e32d2a6e2efd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\050b7713-5213-40c2-a4c1-5676f7f8fde3.tmp
Filesize
4KB

MD5
ad2e91453aa8fbe7ecdc5de363e29fac

SHA1
521e81b4faf2d5766bcf8adba11f4b7fb43202f2

SHA256
948ff8d0780ad29f4f920cd1707530e82642ba986bb5097fa88b696c801ac5b3

SHA512
2e0e04f885b57530fb18bf89c653477189b200cab6afd383fa12087c793d46e79eeb412c13e7c657f3570df76be8f2778fbdace6304202dab64e60d6e8204fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
96KB

MD5
9add8a2d0968db9bfeecea90afe78908

SHA1
0fbad9c080edbbfafa13582c16dcdce975ad8bff

SHA256
1de5ec9db21d2c963b10fcea854a1cc1d0cabbdecb268dddabd4f2294687e644

SHA512
851859d5643d30089a470a289b515098c5c1c7b6a0a4f832c04bcd291af250ad1d63232742fde80f606d0f3d7b6ab6d36326f643407caec62ff67d5c9a56dfe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
Filesize
65KB

MD5
6d7f81b38226d4d03356a0e0e8fab222

SHA1
39eba5e4fdc7bea98c3cf95d616a58b5cc58fd80

SHA256
c64b8b89fb3375446c05202cf1e6db9ac0097539eb352e19725702b1e9e0e80d

SHA512
0ce9b55b957b07d098f55ca8127242e6f3c7527d9fbdc77b777c12c912bf22d1a3b8f9f2439b45634c881cb78b032ecfd6e0c38758d571a9fb1c4e9102e4e763

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b
Filesize
49KB

MD5
9e8361c00c4bc8c9c051dee5bfa339d2

SHA1
d36a51791035bf241d03661e2bbb0d13c837ef36

SHA256
e4d3dbd48148b13bf0c8c90a2319c3fafa42d4abaa9c89fcabb3585d986234f4

SHA512
3bd193a1ce0ac4f243ebf877d95e9bcb8aa287c46aa3737c85b80c0995de1ddd385d4b138718055a216f5949f0bcfe33e33e649c0982db6e8c56fcaa6b242d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029
Filesize
16KB

MD5
01d5892e6e243b52998310c2925b9f3a

SHA1
58180151b6a6ee4af73583a214b68efb9e8844d4

SHA256
7e90efb4620a78e8869796d256bcddbde90b853c8c15c5cc116cb11d3d17bc4d

SHA512
de6ca9d539326c1d63a79e90a87d6a69676fc77a2955050b4c5299fab12b87af63c3d7f0789d10f4be214e5c58d6271106a82944d276d5ca361b6d01f7a9f319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
f90bbf63d9ad6fbe7a848509cc9423d6

SHA1
64457f0558f5a6bb3955717d087980a9469cfff1

SHA256
3632a89562c29c2496cecaca73dbcdba215aa32d64c7918b48ce5827ea3c6844

SHA512
0f5ffb6a97250ef1b2b82497cd02780378e0acdb4b7ea60e61f87970946e616192567ca0227b1f83fcc43a7df3f430c9d5011cea8b9a35dc821e4af96a968abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
c589cb8e5e9b1f232b6067acad07acd4

SHA1
8c0700df01e4d8e275bd79dac387d4ea1fd1017e

SHA256
f9c7b8cd7fd65ee1ebd6ce330fb0c599a4a0ac945b64aab2fc6e7fa6a0d31f62

SHA512
c1072e5cd4ded437568e6d1e22f7b18d81240e1494e914289120eca3379cf7668cd6ed5cd4f30524c3bcd6ea6aa4242022ccc89545cefa25a05a4aa3475ee24d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000002.dbtmp
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT~RF6d1dfd.TMP
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
4a21fd38665daaccb14b9e145c95a4e5

SHA1
b2647fab4a96ce96faa6864de65ddf423fb70fab

SHA256
e123833fd57c413f2923934465d5c42b35425e2369dfd0bd051a531ea1251275

SHA512
500abe0ad52abe1d00093886c1cd3c0901046d38f81b9013e071dba02041549b46749f175d2dd523932ab2381ad73a4fc80bcc324fe4d885957bb8fe76f25112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
3c5912bab35a8987fdfcd96d30eeb115

SHA1
08d94be32a4b73bd9ba40f92d2d893be396d4936

SHA256
9af86558900d1d866136199ac4775d845fddb2b82cb2a8e3b9688a62bda1e784

SHA512
d8a40b6958ce6ab6201bb699d73085441aaab1c7852385b5fa108dec062e8b4995c8dfbbd87026d7d060324a4299bb7b1136369bde438d55b4f6c3aa228ce22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
e4b17549e5ba07c4461b3d1156f0ea21

SHA1
b9a72990396185efaa05026f739b5328bc640f80

SHA256
cb383acd116ded36d0d17bb6c8ad0d65cd5922ba0d2271893f7de4f2127efe3e

SHA512
0812a83a80ae8180490a217f60ebe74a2c9d3a2a8978cbad6601dc0ed4dcea6827949fd82a2bcf9140a2d4474cd5f2b37f24e20f02b69000927d9856addefaef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
e93fd2869cdafb119bc88941661733a4

SHA1
c786d26937574154c1a385667b55745e1d98ca38

SHA256
859dceb9c8b21548d98d3fa80fc0dbf246e63ee64788db0f1e37afeb86496003

SHA512
be803d74f450bc8731bc75ccf50d60b4dc14996db434c21b98748a281ba9cfc13d2bce775b2518847aa458a4986ec58bf2e62368af3bdaeb877f845c70214281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
acb48c187a06e7277dbb7864dc50af33

SHA1
c5cb7591bf6c9445536a8a9535779e2e3563632e

SHA256
9f8e8c481fb1a98a420a03f43c5427ac83a262ead9b7a1756a3de8f34e5738e1

SHA512
de63bec3c51d228a669abd15013d1f7bfb82c3c861b1d327ead761c65bcafe67b6d708d6dd49254d9c5206089c627af3fe838825609b6256fb40c12c33e34f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
e9028e00778d95b3a5ecfb0617141c0b

SHA1
58cb7f4cce6c81eabf5291de73613f12ab0ec51d

SHA256
143d512af80c96fae2df188a7272d49cca58b17d370d51f8597843798ced4ad0

SHA512
48aa877c29462379abcbce4b9aa45fd480ace1945ec0564d88c94eb6f0a1dc445434846eff23e7738d12624bd3f842db81173450a489da9ea7c985b808a5b20f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
cd4e8e91e40c2332c0cf79a0586acdbf

SHA1
c5c62fa512a5e65c119b992992168eefc70280f8

SHA256
50c22adc6823610b8c6a32c06908eb34da03ab5dfc4425ea256d2f06fa879556

SHA512
5ddbc462489b80f48ed3f16cf75dc9fed0158ee614098c6592baf5ba392d345adff18285efc99840b49d86ca9e7861c310d2c8ac98e304c5c8b92745fd08042c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
d352f9e1f6b4fc7308ec2194d139078b

SHA1
5e71595a2b59b69d1f3f6ae975c6f1950661d6cd

SHA256
00c36cb4dee155794d93e117ece57f050d2f3d7e92e3ef28b6ac5607fd05d509

SHA512
262fdc889353cbd871934144e75e6f738f2b129a4f82b41f7eef9ac81919c0758c13cafea95a9fac5ebb3080c1cbce8da315a2e280366fc9c6bcc3b0c4a28818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
0eb2005ad21359534f8bcd65c932568e

SHA1
6a1ffba2a83a7e1e8501b9214e3ba04b0a514d59

SHA256
880e3547ab7463b5104a811f39f039c0117fc7addad3bbd2bb5619f5de051fc3

SHA512
acede2682e150c7a1c2bc2a9a1420225e8425ea76d9189b4e1e41928bfc05064ebca2361516539dd36e1fd5aef37c8670d07623646877f32d8d1d8822d184d15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
e95f9023fd222f9673b934f8802cfe75

SHA1
385dfc456397323b6a707964591b4e1bcd01a578

SHA256
7842932549b4df23ba745d2d4c0fe4dc59a0e3bce5821756e2e2ffdb3f8b1549

SHA512
213f8bca967b711ada2380111d155abba1765f8c5560c810aa3355d80d3a060adc772082a296606f06293f6f9a36de95defb85944b9bc24609a56d04333f1d0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
646c7738c1bd1206d5f3c893cb6c0f1d

SHA1
d835ac72ccef7add17438770ffb53d0cfc7490e7

SHA256
a3f9cca143290966a289fe0701c35f5c9720c5363235c612b13d12644950e2ea

SHA512
193048e53707b59dac6e97b9c51cfdf9cd99591aa3e2c5e463a9811a83d2a1741f40f6665bd97bbc3e7407c806098035f6ef289c64973c481f5d65a8260e2dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
ab85e58eccf30324752f3e8f5546fd02

SHA1
149fea78aa040eb344d657573dca28bbacf8cbfe

SHA256
dfe139b1eb6d05fdd955f7925ff4bf7a72bf22b817de9b9827e3148ad45c1856

SHA512
ab888f82d3a76d8be35902a9fd69f855813d9dc8145bfa05b3ffffed6a5a7c83d52510fcc96eb99a718cbb303278fe2c2c0323528accf0ce588172af7d94f5c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
fc69deffea151861d197f0140121b0e1

SHA1
efa4f3e844e4722d0061cab4129b6785d8f4830b

SHA256
22223e3c355f25a86f343ac9334abf3d241402adbe85a6af6341aad1d5395b03

SHA512
67ec0dba53f3976fa207f9d52ec81545182772d239e986f55fc1fd7321c497519032f259d2d12b3757b44803b9d06d9180d18a2deb7644bc96323fd084a560af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
53795641a36466d5602765bd6ef3a69e

SHA1
834ae2e7e5f65aa419cdfcd0a5c479d7d2ec89ac

SHA256
7fa12d09419d8027c20fc27fd5ba90dffe61f320e9265785d9419c884bf5b305

SHA512
f455e2f7bc37b41605adf1b9ba0a479170001a00fff6400eb1ebc22c73795c24840f7d5aece208e8419dc807f17c1359dd451c22d4d06cc9cb34aa65158abb59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
a65cfeabb511588285eaae900716228e

SHA1
80b3a35f8654e873f14233e41128a3941b78cf33

SHA256
67ac2f1f1d450b652a70c5e37e3175fe27435b27ee31c491572c5eca05568382

SHA512
79230d44fd6cbe561756c691d2d810d0d95c2bd9dbfe61089178cc223ecb2a6075b744044b44176efa2be6b2c4aff48b59462120965baea08e34b625bc6411dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
f55f63064055327b8d030966022d7bac

SHA1
fe0732b3142dba9d056337f1af921eb21a4893da

SHA256
07a8d20cb43e8577bf61fa896b23c5b1cd52bc6275f54b754cc3bf19239ed37e

SHA512
894a2d41de40a558ee1fae25c8ee767a410a5a39d6ef7a77daac6745d62c5d1542106fdd7392a74114dc28763e35f0de698c6bd6be0435c14b237c6fc87f671b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
cfadeed919342dde3913749f0bc7d855

SHA1
00a1457cb503ab5ca01c1fc57b5f43ae03383855

SHA256
925a516d10c2d645f7fb3f0808b71eb6a320a3452ec963d4db147afb1f8afb59

SHA512
bc5c29d6f0368123735e7d85bcd22a1c787283a1c3227b0b02df345fffcc0aab1c1218bf66d762a20d06ceafb9d336fe39057ee6cfb221f577501bf98a715c3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
422e0008568955f7c70bca1c759a5378

SHA1
aeb2a2b2cc2f7fff8e9a35e6ed343c46ab71ab83

SHA256
5d47ac2d9e597cf2f75bf771e4505665cd4b5575dfd2ef9381f0b20eeedfc901

SHA512
adba26adccde26f5d81fda88a96fb0a1a6f6adf7529903f5e1b7d7574710f2a1b27866366b02de4711e0470031e70c2750828f61ceea4d9e27b424c8aa174537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
5a17696b1f1f6269e05e02241c6eba29

SHA1
b058ed3c683b858e850fdc8dbed0e68780a1d42f

SHA256
6c2136560d90c71c1234187701eec895954520917a3c665f7b01096b6a5ef883

SHA512
d598b50cfbb5517c3f9c21bc2b5e1e65cf509e4f130bde9055915b3456fae95dfcb8ff9b64a7b1e92776196f312123a0451b0a89eface585801f5ebaaca8e24b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d7dd528d543b0e56481cac14ee0b5bee

SHA1
3f597ac6deecace9efe3d2d296c629aeba7404cb

SHA256
a92c6a2b586021ad1510e4299b8c800f9710be55afa11d5103eb5357e5eeb415

SHA512
409d1ae0936f1fd4fb8461083c6e945ab8a5a7c235f8c5d93bb0621afa2bc819975aeb695a71f222681a742adc5f397a302132a56f2bb361962b6930377b88ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
67644f2c215ce73af5d7fa88c924f274

SHA1
e16416a0a9342aa3e787e998d8b2c164ebaf652f

SHA256
5e60a390db47ff0f781186b59dd52960644e78770d84acb3907f4c6ecd67b8e4

SHA512
d9cc64ab6cd55cb0ea2ad702d4890f7886036039c52613a78c9322476b229b8628c9168d199d2c862570ccff5a76139fe0b4e5cd47e28cffb4e423295efeac0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
5d8b14708d97f4e3d4c74d9e296ffa24

SHA1
29286740470d5b7bbf3aa09959ad45097c731279

SHA256
bbecc0f32d0ab1fc292637f35a2cd9c45e790bb6ab2f51ff0962e8647f26ef8c

SHA512
4b71eb52d64e78d794c3cbfe4d2386305300f4022af180ef5d5964ca1de59c1684f63eb75605af551750072ce32b82d8bc22e89987b071702a05887d12d2adba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
f315b9aa08e95dc9871f6d5df37efdad

SHA1
80e4637717d4d1dff1078e32d9174439d8ee34d4

SHA256
72e8d0c60bf68fcd94cfc2c86726178460d1e76ed64f232f1b49dba7507cf4ae

SHA512
a6554969651769f7fecd6b1314f51e2f471a61e37f7dc03ae8abf615d297de96a1d32ff3419138962e53d0abcb7a2f4ffdd53fe4e8044a86281dda4a285c7eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RF6f1768.TMP
Filesize
2KB

MD5
ba83715720626e6c9862c88787db3f95

SHA1
f027d287493638443a226e7b91df61fd265a0dae

SHA256
164afc067cbb7fd9e60e4419f978e6e67cfd6d33182e106e399abb0d92bcf783

SHA512
eed84f3cc569e83f5cb54cf5a682ff6799824e06ea99a5e99dddc2f9c1f6941530e289007bb174224aadb5c3c15fd6ef521d81dbabca93cc57818e31b8bc4b7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
6c3f487d93fb162aebfdfad653a15efc

SHA1
bc79a34dc348993c7c8408b35ccb98bf8527c874

SHA256
108fe1e0b737a3ce90ed6d07fe3ea16879acbb9f5b1ea700bd6552590e42908c

SHA512
d52f551307d4d2c10ab096093992a6ad5de291fc83d535739fd58d8356d0c5a6f15382f76aa37af47f55c19fbd3515d596cf5fc6ce49ef3aee5650a3334c649c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
736a4d35bd95a2d59d2093fe26156b0e

SHA1
cd176ca59c0de7e986319dc2268dbdc781dd34dd

SHA256
d22075863d55418fa051eb24ed42bafa198affb66ddd94f6d78165d9ce616a8d

SHA512
4af3362c6178961c60e7cd9591c48f1148752f9536b3ae4727d1a75e2c1299eed88bafce3f2121a15d80235d8ff43db3b4b96aa2dbd91e7e267fb0d74d4303c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
d088de8962e4b654fa46f676a951e28b

SHA1
2074f29e31da7826c72fcb9dcaeb01a8be6fa71b

SHA256
d84ff4c93271a2f43dbe77f376b91d205e36a7cf3ec1901ce6512638210f63dd

SHA512
9acbb762917f89e85464b7074d17b2c9dcd21aa983c5cdaf0ad258de3f0cb023d0d75f6df1af8f0b6e02b00901eb9f3a2a9e6d29acff8d8ff2950be70892615a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
ad2e91453aa8fbe7ecdc5de363e29fac

SHA1
521e81b4faf2d5766bcf8adba11f4b7fb43202f2

SHA256
948ff8d0780ad29f4f920cd1707530e82642ba986bb5097fa88b696c801ac5b3

SHA512
2e0e04f885b57530fb18bf89c653477189b200cab6afd383fa12087c793d46e79eeb412c13e7c657f3570df76be8f2778fbdace6304202dab64e60d6e8204fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
45d1da67b9d4bdc53ad4b5174c2bcea4

SHA1
cfa6db7fe1783ce9f67e4ef4f9e7f91ea03a5004

SHA256
ab67cea9ae7ee5496b1cf71ce44a49802543366d4f7525d40b6f734c2e15a738

SHA512
239aab225437fc49b526e8277273d812eb3293bfb8dcaffb49319ba9f39bb8509688ab21c4b10dfe445657b5520784d9cefd9db25e30d32937eb856ca90306d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
08c421fcb83e173dca970ea25ce5ea6a

SHA1
2bae355f35771410ab42526fa740822660f9c4c7

SHA256
88d5a5f85bc208ad011049b525042180b4fe016a9c46d0ced92475ff83ad7860

SHA512
f955357d8745b115d05df88d66ee160aa38a85db580943bccf649e9a99f1e3b76bf11e8fee87a7f98408d482e54f7e640026a040aa26582660b1c2c7e964c8fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
bf63878a141e2ab9a7d677437544bab2

SHA1
bdc0a7310f42b76567ce6f66bf17be09327ae320

SHA256
f79576d9cce7c689f70ad9c004a604d0039b85a560afbff4e8dea8b198ce955e

SHA512
0ae05284ef53c7dacea810f2663922ee0aae103fb9844476b93b747d9c727f4a59ad5ffc25bfc63c9d8149bb2df461dc1395a5b7038e949168be21df375a95f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\07asiie\imagestore.dat
Filesize
9KB

MD5
0ba3e8295a402088ebcdb7aa5cf5ff35

SHA1
3904d32a503d93a5a6f317c0817d27568ba43f3f

SHA256
1e9bbba3e3564cb1235d3cdca572f73732be9a791587d66b636449f01313366d

SHA512
c2f4b5e78a023f38205353296c0ee0ba6722a81942dd577ba30c869a8cafdd644aa6584eaf5d33234b3a9cdb3e19ce52eda9e93871a0f41e0e11d288bc30f3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\BatchIncrement[3].json
Filesize
163B

MD5
bedbf7d7d69748886e9b48f45c75fbbe

SHA1
aa0789d89bfbd44ca1bffe83851af95b6afb012c

SHA256
b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

SHA512
7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\WindowsPlayer[1].json
Filesize
119B

MD5
efd3cb52d253121d226d4993f3a53fd0

SHA1
066779a7678c6134132c56f9c0e64cb5423711b0

SHA256
d49f693ce8ccf0d4cf1704efe4b60fdec4ef93b455ea6da3fef2d83b6151a458

SHA512
b49042157eb0c5f3024b14093cd9e626992ab59446b67f680d5bc5c6be586df406caecaaa9b33ac3cdd1585f54c68d4fd3fa81227ea86fb5fbfb44fd66779ecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\favicon[2].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TF0W5LQL\PCClientBootstrapper[1].json
Filesize
2KB

MD5
011de36b0efa683882229ecae9b55afd

SHA1
4b437507fb2643fb90fb24d563a64a79cbc84fcd

SHA256
fab50d3c82cab58eabbd914934f8bd56b1d0f270be25c31e29a6c9a92ca42425

SHA512
e04341afe5fd8ed422f5a3aa1386722bea872f49d7c951877d56e38e6db4c549a42156c2b09cf75f7e7ecf66353c5f894b89306046dd16c2f435dd6d5da84e4c

Download Submit
C:\Users\Admin\AppData\Local\Roblox\LocalStorage\appStorage.json
Filesize
10KB

MD5
98d2aff0ad570f56298b81b75174ef11

SHA1
f58f996cd7efe818c049f27bbef0c626ebc2a16b

SHA256
8a57c6760bacf339d3bdb2ed4f4be4131d79d494d17f7a58539ea391b2f71767

SHA512
ac6326ba371b8a3f84c76a5400ee6a500b1390adb526e47a872a7ca71d41f965491de7f55496efadf5b9ce128b7730cd07faff8a31b8dcf5bb1fd5d9e2b416aa

Download Submit
C:\Users\Admin\AppData\Local\Roblox\LocalStorage\appStorage.json
Filesize
7KB

MD5
87ee8b1ff6bd5a71e6565d04ef1313b4

SHA1
421a94fe8872d00428cbac4c60b0935ca4852cc4

SHA256
9f96e488966aeca339ec5035311366c520ab9b75f87eeb45b73743fd23ff3b76

SHA512
262f3aa5a9edbccb5f0229e7caa51a6beb0ed7a194c19d45f0a24c5cabdf6acdb2cb30f743630c14f14b920fd804dce1516baa9e074fc9e1f5dd90938b9d076e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js
Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip
Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox\http\767fd1c86a6438f2df71a3ad990afaac
Filesize
32KB

MD5
70bad7a0abd49779922c78b20c1c65fc

SHA1
ba263b9cc5ec9353e9dfc2967b82dfce3ea67f30

SHA256
5212fac4918b82cadb64f6cc5ea80e41a0ae20c3b4e2a7656fa44ee4f0d8e780

SHA512
e6c91e5e96b03f70c99c70248dd13787f738c9894c6352b0e4a2801f9c30c064f90f0584aafff83c3d1d532a070a0c40c8ee0a17b92f9d97bd9db822908da935

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox\http\RBX15759312C5D040AEA074A8AA5FBDCF85
Filesize
91B

MD5
b04c0dc18c7d55cd67b193981117e8e5

SHA1
de1b8da5292626c82c5369243ab17e1fe87819e8

SHA256
0e9e0d48cb004bf17d389dc2d43451e7c45546210703bf2c36048568477f538a

SHA512
e6a2aea601a6cc021d9537fd56eaf034dbc5932f9dfeca57fa69921733af8d1c22fa4997a596f2895ca60a9a064ace6a135a8c5893381595521da9cdcfcfbef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox\http\RBXD8C72EA392B44D5FB4709A895E201A0E
Filesize
91B

MD5
934a11b8eaef18e6790e660f167b251b

SHA1
1195e4573af3ac1c966de8210b162d76f57df7e4

SHA256
8a8ffcca05368fdf6f8941aa5ebf50c565c4946e660dac731827703d5d36665a

SHA512
7b9ec190b7cbdaa40921a775beb6cc245f9e92b12785d0c1a9fc6285a996a809a2c80546a099fbdf5e2628404e4cedc2ab652f3e02c27012fd2fb3ea6d1ddaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox\http\RBXF85B1514A5464DC8A740E409E14D7631
Filesize
91B

MD5
9de52d85b06da1acd48afa0d6d1d19aa

SHA1
6683b9c8eabeb1f315873fa6bcdfaaafa9353ad6

SHA256
8b231ef4bd7d12979f583d8c1b89c66ae7e379d6557a1bb6bfeffcafc15f1a2b

SHA512
f3c1210177102ad92dc8661720f12f4c6aed3a86991b59c823471464feb2eed41cc1512acc864cdace009852380701c20a694fdc0311d5a023c2b9298979c8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7798.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_1528_RCBFACUHGDBAVWUO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
Filesize
2.0MB

MD5
2c3024c6aec09f36db69877db35f8e4b

SHA1
b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

SHA256
ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

SHA512
f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
Filesize
2.0MB

MD5
2c3024c6aec09f36db69877db35f8e4b

SHA1
b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

SHA256
ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

SHA512
f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
Filesize
2.0MB

MD5
2c3024c6aec09f36db69877db35f8e4b

SHA1
b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

SHA256
ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

SHA512
f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

Download Submit
\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
\Program Files (x86)\Roblox\Versions\version-b7209bbd7dd04d17\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
\Users\Admin\Downloads\RobloxPlayerLauncher.exe
Filesize
2.0MB

MD5
ea422ffc74fbfbd6d980ae8e4d3513e8

SHA1
1f1b01250bbab5d1b893add52c1d6654336c2f00

SHA256
47d56b778f5a1815155fcb5c6a782df9a5b85866a1ced4d3cf1c4bc8dce8e17a

SHA512
806b4d93a6435f1771b6022e9380c4cd7e039aaa659c4fc72b0d89b197432cbcbddaf72ed97c4c2d2078e250e421cfe8051c601122cbc324696219a25e63c3d3

Download Submit
memory/812-204-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1192-2855-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1192-2852-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1192-3013-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1192-2863-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1192-2868-0x00000000012C0000-0x00000000069D9000-memory.dmp

Filesize
87.1MB

Download
memory/1192-2867-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1192-2851-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1192-2864-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1192-2854-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1192-2866-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1192-2857-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1192-2858-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1192-2861-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1192-2860-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1368-1761-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1368-1762-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2516-1826-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2516-1840-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2516-1841-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2516-1824-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2516-1827-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-1828-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-1829-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-1831-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2516-1832-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2516-1898-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2516-1834-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2516-1835-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2516-1837-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2516-1838-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2516-1842-0x0000000000BD0000-0x00000000062E9000-memory.dmp

Filesize
87.1MB

Download
memory/2516-1825-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3916-3488-0x0000000001E20000-0x0000000001E2A000-memory.dmp

Filesize
40KB

Download
memory/3916-3508-0x0000000002DC0000-0x0000000002E1C000-memory.dmp

Filesize
368KB

Download
memory/3916-3492-0x0000000002DC0000-0x0000000002E1C000-memory.dmp

Filesize
368KB

Download
memory/3916-3495-0x0000000002DC0000-0x0000000002E1C000-memory.dmp

Filesize
368KB

Download
memory/3916-3498-0x0000000002D10000-0x0000000002D3A000-memory.dmp

Filesize
168KB

Download
memory/3916-3499-0x0000000002D10000-0x0000000002D3A000-memory.dmp

Filesize
168KB

Download
memory/3916-3493-0x0000000002DC0000-0x0000000002E1C000-memory.dmp

Filesize
368KB

Download
memory/3916-3507-0x0000000001E20000-0x0000000001E2A000-memory.dmp

Filesize
40KB

Download
memory/3916-3494-0x0000000002DC0000-0x0000000002E1C000-memory.dmp

Filesize
368KB

Download
memory/3916-3509-0x0000000002DC0000-0x0000000002E1C000-memory.dmp

Filesize
368KB

Download
memory/3916-3510-0x0000000002DC0000-0x0000000002E1C000-memory.dmp

Filesize
368KB

Download
memory/3916-3511-0x0000000002DC0000-0x0000000002E1C000-memory.dmp

Filesize
368KB

Download
memory/3916-3512-0x0000000002D10000-0x0000000002D3A000-memory.dmp

Filesize
168KB

Download
memory/3916-3513-0x0000000002D10000-0x0000000002D3A000-memory.dmp

Filesize
168KB

Download
memory/3916-3489-0x0000000001E20000-0x0000000001E2A000-memory.dmp

Filesize
40KB

Download