hxxps://www[.]youtube[.]com/watch?v=oHg5SJYRHA0

Resubmissions

12-04-2023 18:13

230412-wtrvbsfe21 8

12-04-2023 18:09

230412-wrqjgsea55 8

Analysis

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12-04-2023 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=oHg5SJYRHA0

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe

Executes dropped EXE 2 IoCs

pid	Process
4784	RobloxPlayerLauncher.exe
2292	RobloxPlayerLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\textures\ui\LuaChat\9-slice\chat-bubble.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsShared-a406e214-4230f473\ReactDevtoolsShared\devtools\types.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\FriendSuggestions\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\DiscoverabilityModal.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\avatar\defaultDynamicHeadV2.rbxm	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\ui\InGameMenu\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\iterator.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\MaterialGenerator\Materials\CrackedLava.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\RoactGamepad\RoactGamepad\debugPrint.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\Analytics\formatFriendStatus.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\translations\CoreScriptLocalization.csv	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\RbxDesignFoundations\RbxDesignFoundations\tokens\Console\Dark\Global.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\utils\getActiveChildNavigationOptions.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\QRCodeTestSuite\ProfileQRCode.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RobloxAppLocales\RobloxAppLocales\Locales\kk-kz.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\AvatarEditorImages\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\ui\Chat\ChatDown.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\ui\InspectMenu\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\FFlagAXCatalogSearchSizeGamepad.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\UserCarousel\Components\UserCarousel\navigation.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\Components\StyledImageSetLabel\withChild.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\TerrainTools\mtrl_grass_2022.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\textures\ui\LuaApp\graphic\shimmer.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\NetworkingSquads\Util.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\Dev\TestUtils.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\StringUtilities\StringUtilities\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\SurfacesDefault.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactFiberContext.new.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\VirtualizedList\VirtualizedList\Utilities\codegenNativeCommands.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\ui\TopBar\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\textures\ui\LuaApp\9-slice\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.4.2\LuauPolyfill\String\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsShared-a406e214-4230f473\ReactDevtoolsShared\devtools\views\Profiler\RankedChartBuilder.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\RoduxPresence\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\avatar\unification\humanoidClassicAnimateDefaultChildren.rbxm	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\MaterialManager\Favorite-Filled.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\ui\Chat\ToggleChatDownFlip.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Flags\getFFlagPassEntrypointFromAddFriendsPage.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\ProfileQRCode\Components\QRCodeView\useHasFailedToLoad.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\TemplateTestSuite\TemplateTestSuite\.robloxrc	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Time\Time\TimeZone.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\NetworkingContacts-96003ad7-1.12.0\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\rodux-networking\Promise.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\PYMKCarousel\Dev\Rhodium.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\PurchasePromptDeps\Promise.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ShareLinkInvalidModal\Dev\SocialTestHelpers.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialRoactChat\SocialRoactChat\Users\populateUserWithState.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\Components\EventDetailsPageLoader.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\UGCValidation.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\ApolloClientTesting\ReactTestingLibrary.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-201ca530-56b79d20\ExperienceChat\createStore.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\jsutils\PromiseOrValue.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\IAPExperience\ProductPurchase\ProductPurchasePrompt.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Http\PerformFetch.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\Components\EventsList.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\PlatformContent\pc\textures\ice\normaldetail.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\content\textures\ui\Capture\CloseButton.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\Components\Masks\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\String\String\slice.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\Utils\contactImporterOSPermissions.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\TestMatchers\toEqual.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-9898fbc5d6bc4b1e\ExtraContent\LuaPackages\Packages\_Index\roblox_networking-chat\networking-chat\CHAT_URL.lua	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34BB1250-D95D-11ED-9346-EAEAA05881DB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133257966341758677"	chrome.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-9898fbc5d6bc4b1e\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-9898fbc5d6bc4b1e\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-9898fbc5d6bc4b1e\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-9898fbc5d6bc4b1e\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-9898fbc5d6bc4b1e\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-9898fbc5d6bc4b1e\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
216	chrome.exe
216	chrome.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe
4784	RobloxPlayerLauncher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	firefox.exe
Token: SeDebugPrivilege	3900	firefox.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2284	iexplore.exe
3900	firefox.exe
3900	firefox.exe
3900	firefox.exe
3900	firefox.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3900	firefox.exe
3900	firefox.exe
3900	firefox.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe
216	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2284	iexplore.exe
2284	iexplore.exe
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
3900	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2536	2284	iexplore.exe	66
PID 2284 wrote to memory of 2536	2284	iexplore.exe	66
PID 2284 wrote to memory of 2536	2284	iexplore.exe	66
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 2556 wrote to memory of 3900	2556	firefox.exe	69
PID 3900 wrote to memory of 4692	3900	firefox.exe	70
PID 3900 wrote to memory of 4692	3900	firefox.exe	70
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71
PID 3900 wrote to memory of 3588	3900	firefox.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/watch?v=oHg5SJYRHA0
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.0.1663013500\1882401691" -parentBuildID 20221007134813 -prefsHandle 1660 -prefMapHandle 1648 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7cee917-2b31-4234-8341-d1ac70a74202} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 1752 2100dc16858 gpu
    3⤵
    PID:4692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.1.732769270\1850360014" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2ff0c1f-81b9-49a7-b460-5801a366d6da} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 2104 2100c910058 socket
    3⤵
    - Checks processor information in registry
    PID:3588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.2.1843580377\1644505815" -childID 1 -isForBrowser -prefsHandle 2548 -prefMapHandle 2724 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64de5752-0299-419d-a0f8-7ddade82ff5f} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 2816 21010955658 tab
    3⤵
    PID:4780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.3.1534898137\1907637762" -childID 2 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6415bcde-2560-43a6-9ab6-2c350c94f6c6} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 3320 21011855b58 tab
    3⤵
    PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.4.456896053\1558055864" -childID 3 -isForBrowser -prefsHandle 4632 -prefMapHandle 4628 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b59768ff-9bf7-4be1-a959-75d5d36b69b3} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 3968 21012fa6a58 tab
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.5.234631307\29646424" -childID 4 -isForBrowser -prefsHandle 4928 -prefMapHandle 4884 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d707ed2a-cb43-44d7-8775-2097f3079ca1} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 4844 210145fb358 tab
    3⤵
    PID:1612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.6.1314841534\1262491095" -childID 5 -isForBrowser -prefsHandle 4664 -prefMapHandle 4628 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30b701a4-339b-4560-8b37-68011d0af5a4} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 5100 210145fc558 tab
    3⤵
    PID:2644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.7.727035896\2012074177" -childID 6 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0835e333-53b9-4fba-8b49-a213310906c4} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 5196 210145fc858 tab
    3⤵
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.8.286594615\406106574" -childID 7 -isForBrowser -prefsHandle 2628 -prefMapHandle 2624 -prefsLen 26798 -prefMapSize 232675 -jsInitHandle 1388 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9418f44e-46cd-41a7-a245-5f9135b07dbb} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 1244 21010953e58 tab
    3⤵
    PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xb0,0xd8,0x7ff842079758,0x7ff842079768,0x7ff842079778
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:2
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1968 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4572 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3288 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4536 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3220 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5104 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4648 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5592 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4472 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4880 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4488 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1672,i,14377816499452080850,2953375550557261258,131072 /prefetch:8
  2⤵
  PID:1912
- C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
  "C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- - C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe
    C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=e97527f1946dcde1ecf49aa2cf30d420185b368c --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x710,0x714,0x718,0x70c,0x604,0x100d584,0x100d594,0x100d5a4
    3⤵
    - Executes dropped EXE
    PID:2292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
3e1634906e576e71becf3b0084f3821d

SHA1
2fec3414a7f154e7166212bfcd0cb300fbf1a846

SHA256
c041f06838dc23831f5cda5e27ed0702f377df774ae03eedab0d8468fa902eac

SHA512
e084c0e0862952db7a77cef1c6a8d6ad647a61058ada42bae96c8c7e36ec417830a9b26f370f95a271db623cc861ab0f9a3f26f793478dbeb3b706e28370007f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
69311f4081f0da25f895f5701e467e84

SHA1
25b43e246be4c89cccf4ef896da2f87d7090dda5

SHA256
ddfc25df18245500d8fc4e91984fe24f5a5724aa31848985d3586ef869de00cb

SHA512
d4484b3a7a5dde3d90ff6960d4c3cefac1fec8ff707bbbd192f354174db8274d8f332bea3115cfcd501ab73558e62b1edb60c8cca7cc41b9ff238999797ef16e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
cc6136aefe6b13ce4177dbf419b1e7ef

SHA1
39ebf67674e4e1ff5434c6094c83c8efa732b065

SHA256
ae97a4756c390788d956863c96726d731c6321e5fe71099fe0b6412d36d40d7e

SHA512
7503e4038339bb4b32d09f9196ba6052ded5678253b14d855aa2ffa7e684ac74cf2dff42afb5fd25d1eff4046709ca336022dd854941285d9a00fdd700cd7543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
aa62f8ce77e072c8160c71b5df3099b0

SHA1
06b8c07db93694a3fe73a4276283fabb0e20ac38

SHA256
3eb4927c4d9097dc924fcde21b56d01d5d1ef61b7d22bfb6786e3b546b33e176

SHA512
71724e837286c5f0eb2ee4ad01ac0304d4c7597bb2d46169c342821b0da04d8597491bd27ef80e817bc77031cd29d2182ccc82ef8ea3860696875f89427c8e0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
83be5d3fe066ba9787604b7a34c56c0a

SHA1
ea0ae4136a84813531aad88dde500f940a437598

SHA256
c033b0462c75016c556c2c3d5dd33bce23c5e63dde351b15606ac69ada331f87

SHA512
c459a27dfd2713aa86d3f0875fd6ec18361e80270a67b4082e9606d2dfa204f64fcacf5f620cd659ba179eb448952f3d97e9304beef17778f80f78ef869b7e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_E4F1DEBF504949B02CB0F8C7B5A5454F

Filesize
471B

MD5
81375129214a57d2dc6793c1f3ac675a

SHA1
d123df1cd6676e813a0dc11b5226616449ba6ef1

SHA256
c08b4485550568c320579d60318c5b1fea9220df17e490418a561b541f6f2441

SHA512
a42f22905cc57c8ea61f205dc00c43a9c31c4cc9249248873e4276a68501e0a83516c0e2c7e8a25fe1b50d549ce6a665242aff94ea229aa4d3f7b6fcee10b118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_4B05AB70063E9CF4CEFC3109F1DA8D9A

Filesize
471B

MD5
eed552c0316d85311b45cf9aa8d8caa4

SHA1
e47a6dc899ec5eb63e8aae694c2752a24fda25a0

SHA256
83ec9e9423638d013bf2bbe5237c9c987d9ff6e4115958f64d0106361bd6dd15

SHA512
7988a2cdf747a61b586d649bcf20a70eb09da515458f3599ee5c235c3082df0cd1571346e71a6813f4cc4c164cb2c3eca68f86c8e14f9418a940b7a18a508f6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
dd7bf6a9a1e03623769a84465db89989

SHA1
f71ada4c699ed4262a1869dcfdffd100ca84e8a6

SHA256
55a54c97bd4982c8294c99ac5e189586b4e97e0a2204b99f95388b3d3963668a

SHA512
7f9230fa6792995613dd554be6f7eda5628f2f89659d5b4e78b7dc20aab095487eb7153ef4681f72d7ba37bbaec1a3e068aadb2c636f56ba647fedc17c323b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
7f20866a66412e0d891b84f914bfecf3

SHA1
b30e9a907adbee6d2395bd0d71d77e5b144bb16f

SHA256
703fffdabd6eb526116a844e824e51f1f82af6c12a90282a18268ecff3613e47

SHA512
9d71c368ea742269e9d29ea39fedf0e55d5f5e7e4dcc88dce0be93cabac037a284f44265df8e4cd11d6e13eaf1ba23597308b9f4f3cf8f61300fd27d449d4e4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
5c277538e9300c707aa8245a4aa5d1fe

SHA1
d868ecbcf3626bdf9b3826baaf9c5d3c8f391c0a

SHA256
05bda9e54cd8a0ef812775dfa0def4a442a537c06d9501565dab15a831b5f44f

SHA512
c4a04077ec1d5c3522d4b54fb22bdf0c80b3a905a43fb52341a23a5db75cd3b8b9a79b897babd1b59dda465008d519547e8e0b0158ffeaff925da03fbdeb0921

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
1be0e1e9bcca51339b7cf075efc22767

SHA1
5777e21a09281c4728d3303f5b81feb1ccc3f2e9

SHA256
b0118e6c778c0d25bfa99cb5170786f4a40155bb25d865786bde8bf262f84a5d

SHA512
f9c7ccab60a629b2d0f2f8d7b39e79caa82dd1717cbd673b530ca9a5c9d5947e6fe85d88ffa12976ac160d5d5aa793758b0a7d4157c0a2a31b4a8792773f1688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_E4F1DEBF504949B02CB0F8C7B5A5454F

Filesize
406B

MD5
cd7e46a613ba41f53b6a3986bc160375

SHA1
951ae5f5516f8ae5839d331f3b6112fcf4808504

SHA256
8d5d2b9098ea1d5990e5368c3e1a899b7e2e858f7f8c924e93fad5a48c29bfef

SHA512
dbf7a013ad9bacc2c4534db5915691d24215eb8ce9b46a3ed93f104f21568a7d26758a2e5592ee0179b105943b3b2ee9388ac045f1fc80629cf503e9fa6d32a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_4B05AB70063E9CF4CEFC3109F1DA8D9A

Filesize
410B

MD5
ca021eb29ff90b13c05783d297d2b673

SHA1
0af537bbf0de9336efe79c32fbd4ee4add77869c

SHA256
13a85a4d62322a7da27c64f7734f51682baa962fd8575e973eb840dc35e4bb9a

SHA512
59848267bb1fcb2df0b7df361bc20a4a1b554034086ca2c9124d21dbf8c347531118031512b6b790240bc4e33ba31cff9ebc60a188679d68a2429a0f36ff7cca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6acaad6e-d7e9-445b-aaf6-f3bfd669ec26.tmp

Filesize
6KB

MD5
161a08819fe60e305c7131d1fba05702

SHA1
e9c34a77abb0be1877d8383e42b37111c66ee86c

SHA256
19176b05f8ce07e14dc20b536d71f7fbb945cac4605f11e4861505e034b44cf1

SHA512
353d86b384cea35007013161e464fae87de9070a62fcabb9146fed6d0562fb6fa0663b11da63f4383b21f159bb0920aa65c1798e3ab29ab2eef3a03b81a2aaed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
117KB

MD5
044aa2968817aa931541f010d683685a

SHA1
8e9f3f4b305056e5cf2925f17d4d02a909757edf

SHA256
6907a6a7336439e247477060e5f5472364386f5151a7487519076c71b8be1b3a

SHA512
dd70e489d1fdac8c84671d09396f990258b04801dd1e1aea3454b1ae78e4a51a1e8a974ade09cd565ca9bed3ff71f9b384b571c6c310c3d0412ff38df566bead

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
65KB

MD5
20492a6c3dc6c253712e6bbd1e37b114

SHA1
633a743125905ec7da6f9dc0a98e69b61e53005a

SHA256
08fcbb7d201d572803c7f436f4863d02c80eb43a22c17f0c55c6d349a849ed48

SHA512
4d5b89cdae3c561aad7160f9473b59fab029469dd31bd6c6454a0e5e7bcd37b426f6d4663daec57c31ac1fb861e790223560a88a543206de03c1d8d918566865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
2be57a25c2f784c0ae40036cdfa3efb6

SHA1
44df1023d122c65fa0fba1ca52ffa92619b0b479

SHA256
38132cb0d750744fd0d730686a90ed2518b85524b0c6a2a5369d0a467ae07131

SHA512
e39825cb70fddb610ec65566baa74e491022cbc33df231e42fb2049c0284ef001addb96574620b1f6d363ac12ee10e376274cfbf6a9ff0164aef4bed2f4e4c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b00bfeb7fdac55b93a11371a03d220b1

SHA1
d1858f9937ff5b54403b6492d04da313a66ac68f

SHA256
4f2f9e832aeb0f1d6798a35c2643b443f42b6ac9b2234c71f682b99351ad63a0

SHA512
3b0b765985673ea85ab639a2cdd0cf3a5c62e1d23e29f186ebedcd6d9d0bdf43737fb5573cb7f5eac829d4a35335625e16d35385bf9873986748f10be68e32bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c138a6e3c6bae7d91f9f2a7d6bffe268

SHA1
105f84dc8c630642ace005a126fa241ab97c4112

SHA256
4b5f9515db69aafa1680ff1338821368b56c771defc44f505a275a6ac6ec5080

SHA512
2b9f1e03ae8676bf50077ec7edc54a4457874bca2f3e6e179379465f00ce84307af3b556e5d00e37afe20e14bd42fe8098bba679f594a40fc45aa107e3c96b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ae1cb6377a9bd19bdf83a4f7bfeb0fc1

SHA1
2b31192d561594dac0d0ffdb3868d8e800c3d66f

SHA256
da1741dbeb237b3fd176af0e12e8c63db490682a7744134b3a404b62f350c537

SHA512
008119a1a3e0ba863d824b39c8951c9af40dd55fa759ca3921792067bfa6eb466400655f1d3cfa8d4a27833f4d3f882dddb8dcfc08ab20e917c9f6875841700e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6dd847f0d290f518e25fb62061f36cc1

SHA1
5235fc585db3871730298fc9039f3b2aa0490248

SHA256
1c88ece95f44d62fdd73d624376148260ab9aabbb69cf95879a17d2724cc3157

SHA512
606e4592a703d4fade4139c52c586650909fbda2225df5a269c897c0861e28cc3381111d90ddf2c1ac90884f792f88d7b988606802ee40cb92cae5fd3ed5b1e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
80864aac297cdcf49e3838a91b67a83e

SHA1
b85cc23c7a264ee9689f8475b671400aa5253cce

SHA256
3965ac2c3c2cbaee053f89dfa504bcb05e4472aff2eefd19a1de5bb8fd58c1aa

SHA512
bf8b682b751fdea92104c9f28ebc4459d37b37c4955eaf5ee430befa06a3b48364ccb22e582c2af2ebb106eae67555179793955b7a14d6b3af588f55194a7a40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0cd21753469f69edeb813ec4be5af034

SHA1
183655d9c6e44ba9e50485a8da6a5f54314799b0

SHA256
b16fb860cae242e732244300afd948a5c95271dfb2f4ff38f8ff5a3a4f56cc62

SHA512
1fa46539b16dfafae4d03a2e2a91f51f3ea267a9a7017b326a38e0bccd6c99c2122180f8b16015242d772085706063a0f0ab103132372cb4b56ddc2e82cb010d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8d6c09126923206dcf12fb793e93fa1d

SHA1
fcf8444288ae209e4850c918e6f39cb05bccc756

SHA256
39caa51392b80c9ff3650bf147901693581e03230f70313ed154d6c7dd1fdc7a

SHA512
b2217d03020d130635d1adab350ca11f7a12bf7d7453eb12f5e02f644a15b9071aec5266b7e38ac808b912102e51fecdd137764c6ec42f17943e19f9fbc948fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
532142741f17578e20470a733845b3cc

SHA1
20cbead9d745ffc340d16b560cc0aa5bf2d3bb5c

SHA256
a7c4a2e345c2d03c252ccce34e6555e5209aad620d8e001bf1cb8dd10b9a5354

SHA512
4e983f134c4b4f1829bc8c4e7e81c05fffb3972ffb3b2d79452981d394949242c78c6a38109288a75bc7087792fad841a7b191fbf427cb9df125fcc87f537673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1661d45ad27ab4e271db40653a61a5ec

SHA1
a28914baeaff77d3f7f64492a99db4839d5f1717

SHA256
f751400f2d74027986b0941c7d3aebfe4aac98fbb18ee25925a8e75445225df9

SHA512
6a4f503222429e6c9257a8bb7bd2bedfbe466b1057b33b5fb4499e70430340e6d31366d9899998ed60a283b968e1d9d41e04540feff191bbcaf52f3859a0b766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
19c0f85975ab826d195c4092ff3779ae

SHA1
6b28d678a7ea6eccfbc05ef150facb141f1c098a

SHA256
f66170c91e570ddb86411d1d19f4dd59014c1fb63c1d886ff9983eaf6bbae8bd

SHA512
8d572ce8da6219aacd7106d9d17bf7ba52808b7edda325b8d6653f1e99a43d11cb31b9e8508b2cd13b2ae2b47e3fc2c4c1c1eecd8ea3a476249b7f39526303ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
fdf91c822fd35b16d25b4146967a7903

SHA1
e7fb87c1c02cd008775abb2e4c0ae0d24c4942fc

SHA256
8ef62ef0aed5920e780c0bee0bab751dfeb512654ff4764a9131487eabba581d

SHA512
033d26e28b7bebd12555ef8f9dd89e56901a30fc761fd3680b27978575022bf9b0ee5c95d7f689a91cc3c28f059e685ec093b05a95fa2dbbf826db388b77970f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b3be6a1c33a73cfc81c5efb3ad052d50

SHA1
9a728aa363ff0bb7576f677d87c85cd28ebf1e35

SHA256
cd11a1f84f57cd4d36765a1eb721f84687e714ed3f62cb5c505536832aaabd64

SHA512
488aef36cb28834d255faebadfaaaee1a0b1b3103a47a0c67981e23fcbf82b4d74f1ec12024591e785756e650146f4d57aed77edb5760ad63e681e84c0c2cf47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
161a08819fe60e305c7131d1fba05702

SHA1
e9c34a77abb0be1877d8383e42b37111c66ee86c

SHA256
19176b05f8ce07e14dc20b536d71f7fbb945cac4605f11e4861505e034b44cf1

SHA512
353d86b384cea35007013161e464fae87de9070a62fcabb9146fed6d0562fb6fa0663b11da63f4383b21f159bb0920aa65c1798e3ab29ab2eef3a03b81a2aaed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
48f0be55c795537f8ffae8c36ecf48b1

SHA1
292d03c4bb3af571bd0f8fe38706f2be1168b142

SHA256
6aae9f33476cbd40c68dd9ec9500c76f1696db66fa804591a18e0e1b1a278c6a

SHA512
cbc0356d92a944bfc07c1bdbae515f54f5cecd9c43bd8486ee14e0d9e26d12d4d05c013370e193b0fd8d47621accdeb8623f1878003110f27d351ece47ecd758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0df429bff536a1237142c2f9ce15e5c0

SHA1
6d557f0df50a558b9ae1d846a7e0e38f16f059cf

SHA256
e81e9d5e9eaa304c299457afd443e072990176666e09101e09474bbbd6e61057

SHA512
28c83e8dd8555bff793a97427a9c9848c3ad5a63ce65ae4d6b016d6bf2f38bcc11451e280c9dd11a946a9207d2f8ec9bc471eb6b233bc00e016dfceb957b5f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
4dee7f2819c3cd8452baaaebb2134873

SHA1
ed410316473cb2d980d9cea23065d1f43bb3527c

SHA256
75a0fef7c5ef6df9f9db439bd255fed5176719d1d03e487ebacd1820ce8c5753

SHA512
1c352ed16da05c05abec3fb425da11e7e5de49a1188014ae29328eb013dd865cb7765298a820cd0d270fab82add7a8b99784614803e90b94544f80d24569d823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
99fc1077eeac1bd453d485edfcb8d2f8

SHA1
3c6a58053b6cf16c845a7a51ed41f1ddfac62c08

SHA256
24a4b354ac75f4ffc3940e895c2fb83c5ce9ee5c692d659ad768138ee626608f

SHA512
92954667bfbecd5b9d6019d8f03044d84679afa6d5a888c0cbfb83a2c4986349eccb47508f756e332acfbf8f867e6dec2e49b62791afadb709b162f1966fb1c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583822.TMP

Filesize
98KB

MD5
f4fe8e6d9fbe8c4b0bf6f232c4012192

SHA1
c1040e6df67789e81d5c6bba82062bb10fc55be0

SHA256
ceef0c5a0638e22ebb7330e66755485a1598c63d4c7a14c781cc8d11c900eb00

SHA512
3b385fd9773787ba62f9a8edfb585b5a23630fd6d970dde9c15368a9db315f6a37ab2b3815e1e2deb6fc0c1fc19f50d6b310cc0a780b14b2690d023d461f6796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMT3HFX2\BatchIncrement[4].json

Filesize
163B

MD5
bedbf7d7d69748886e9b48f45c75fbbe

SHA1
aa0789d89bfbd44ca1bffe83851af95b6afb012c

SHA256
b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

SHA512
7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\PCClientBootstrapper[1].json

Filesize
2KB

MD5
3b7c2357acb948da94e2c6d0d32ec79b

SHA1
ce53693f0589f014937809f5047a604a96ae944c

SHA256
d52f5dacf73f3eee01465b1145212e33e4cff63d0b07ab6ce6af6d8f6fdcd77a

SHA512
87987a940ec99331a92c679cef60d04f1242c35bb937e92a689fd4380dd049f69642107b7604eaea3cec08935a9b627f9027e82b8027f42064eede454ee3931c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp

Filesize
146KB

MD5
d1493d46586f1f00bfa24cc498cc1dd0

SHA1
30eae806ce69dc9a925cebb0476444967638a0af

SHA256
a7d7784e90a4cfa89f8e4261ef169632dcc5c09d04d682aaf08eebbab1479716

SHA512
77790881c4c18a998569b8268e0825f870f770f5ccf6389518828d5ab6bd7ab7983e0a3bfa5abdcd676596112e7b9833d20333848604c71837583c98729313f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js

Filesize
6KB

MD5
fc03769491e92557713bff75b3dcae44

SHA1
a4f4687575dba8a950a014c93d8f9f086a2b68d6

SHA256
3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

SHA512
8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionCheckpoints.json.tmp

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
498f5aa999368f75c42770862c44f569

SHA1
2afaced9d7187269f89f54b73b97a87dc99e5358

SHA256
0439586b8acbb8d2d9431877f32fc671096eb136ed1cc3188d1b1d800ed00a66

SHA512
dd539617d988ea7c05199b7302b6585cb8b21bbe6652dd7ce867d63f8362ef99ec13fa483d9e6fa7e9444c1b853ec808ec9d7d3716641e3798dbcd8d7cab8908

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
8b048f4a9400f00f23dc5aafa1284874

SHA1
59b399677ab945a5baac9833c4142170491c41cd

SHA256
7b8eade7b3177637a842d2948b44aaf9cf07192a33871c752f34ad2531514e68

SHA512
edd69432d8cecdfac3cb684fd2133e473f179512c93ffbedbf8dfb9ec858da7ef7e439305a3551931449cfebef3abb06052e97d05bae77a11d3345bf014bc347

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
c519783a8ff04c41f07f207c47fde116

SHA1
19d600c06cf47cb9450747a2a308058c35f4ede9

SHA256
431b40284e85c47fe1c4bdca9d447e0c8487b39e45fa2a14e110f1223f0454d2

SHA512
0129cba7fece385a8ce048c195dafd8e9a86af692c02625a5112112bfd0f38c24c577bc3d0da9cf161d57d1f5ffbc674a84e737675bd8b09e43cbb92c2fe7cbe

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
c519783a8ff04c41f07f207c47fde116

SHA1
19d600c06cf47cb9450747a2a308058c35f4ede9

SHA256
431b40284e85c47fe1c4bdca9d447e0c8487b39e45fa2a14e110f1223f0454d2

SHA512
0129cba7fece385a8ce048c195dafd8e9a86af692c02625a5112112bfd0f38c24c577bc3d0da9cf161d57d1f5ffbc674a84e737675bd8b09e43cbb92c2fe7cbe

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
c519783a8ff04c41f07f207c47fde116

SHA1
19d600c06cf47cb9450747a2a308058c35f4ede9

SHA256
431b40284e85c47fe1c4bdca9d447e0c8487b39e45fa2a14e110f1223f0454d2

SHA512
0129cba7fece385a8ce048c195dafd8e9a86af692c02625a5112112bfd0f38c24c577bc3d0da9cf161d57d1f5ffbc674a84e737675bd8b09e43cbb92c2fe7cbe

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
c519783a8ff04c41f07f207c47fde116

SHA1
19d600c06cf47cb9450747a2a308058c35f4ede9

SHA256
431b40284e85c47fe1c4bdca9d447e0c8487b39e45fa2a14e110f1223f0454d2

SHA512
0129cba7fece385a8ce048c195dafd8e9a86af692c02625a5112112bfd0f38c24c577bc3d0da9cf161d57d1f5ffbc674a84e737675bd8b09e43cbb92c2fe7cbe

Download Submit