Analysis Overview
Threat Level: Known bad
The file https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher- was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-06 22:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-06 22:51
Reported
2023-08-06 22:54
Platform
win10v2004-20230703-en
Max time kernel
198s
Max time network
204s
Command Line
Signatures
Mercurial Grabber Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "243" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133358358877516905" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher-
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee3179758,0x7ffee3179768,0x7ffee3179778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29951:84:7zEvent24600
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.Config
C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe
"C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:2
C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe
"C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3928 -ip 3928
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3928 -s 2136
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b8055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.114.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 3.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.250.179.170:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 140.82.113.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 170.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.113.82.140.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.170:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | 141.64.128.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4796_ZSNREBFBTEKHFEEF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a3b79fa347cab28e28bc114a877b9053 |
| SHA1 | a8d39443c7285c32739c7ab151c61f7bb15e5746 |
| SHA256 | 91cd6ce2913e302563b5428e51da6f6d9be56e12638320cb77e34ab81ba0b9c8 |
| SHA512 | e0c57d86859d4daf9900dceec7b2716469a91e2049633f0f12988982a0a9bc177bbc75f23f9566db0998dceba94f85afec4d01288a41a1e191c8f6a7c71ab957 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0db107cd0d5ed196737d76588767fbf5 |
| SHA1 | f24609ff7149ffbba77640bc215d17b7cca77067 |
| SHA256 | bf453a9689680b7242bb698a5a7717392faf79d7bab62dd85c88bd06f38a3aef |
| SHA512 | b8e95e6cb96815c9e8b5421b58796a5542b1ffd3fdd006aa5e0cec73388a74e29ed96bd8c9cffb4e7ba08a054f6e48bc3009253e507499b7ebed984c91ef1ef6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 46cabd5360696802de48f4697ffbc919 |
| SHA1 | 704a2f6b60bce77efa077b60daf50e35a3794759 |
| SHA256 | 155235c9fcb6f23cc34f3ff97f556842fd076b10d85eeb4a816967345a1193d6 |
| SHA512 | 214ce71a736ad7d40d06ee0e16a306a500bdc2bc60255cf428ea41ab72185d1574387f358b0974e67b4f1bd1ef625ee27a5723a69b1102fcc38e07b427615a0c |
C:\Users\Admin\Downloads\RobloxToolz.rar.crdownload
| MD5 | 9e0315239f3333402b42c51a4814e486 |
| SHA1 | e5d2a5f53f27ff704ddd1428b2abddfdf2665205 |
| SHA256 | 80c81808203ccf210fbd2cf93e2d069bad5a37b6f28e25f1a457873fd27c392a |
| SHA512 | 01390b2ef92ab12b5e7e23abcb2840462a2fae41e139fe4339d1a8555ceb4a07deff88544747ba94068c564709d9fece237c2912503cbdb2e50acecfde65081a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c74fa55c611d605a85824ada8bbf78dd |
| SHA1 | 54a7a5b7d0d7d5f7743d8adc20a9b527f63ec597 |
| SHA256 | 111da12f3779f8e4319b1c91039804603039dd0fa9a2ab881a4771efe693ea60 |
| SHA512 | 7f9deda1c8370f8a5bcf763b03195a98ea56faa2686886de32818453e2d0ed51afbbf438832989462fcbb24b0178fce926b172cafbc33631cae79c7de1bb20a8 |
C:\Users\Admin\Downloads\RobloxToolz.rar
| MD5 | 9e0315239f3333402b42c51a4814e486 |
| SHA1 | e5d2a5f53f27ff704ddd1428b2abddfdf2665205 |
| SHA256 | 80c81808203ccf210fbd2cf93e2d069bad5a37b6f28e25f1a457873fd27c392a |
| SHA512 | 01390b2ef92ab12b5e7e23abcb2840462a2fae41e139fe4339d1a8555ceb4a07deff88544747ba94068c564709d9fece237c2912503cbdb2e50acecfde65081a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e45d9f38094416b53ba86b79b859673f |
| SHA1 | 89ddb831408a7f51dbe2ec5f1a726dc903743984 |
| SHA256 | a40935e651f42a409b3ce07fa61e09cf683bdbb800fdbee97746ae785afaf62e |
| SHA512 | 6b76b68f55bfde4943c19b9d2ac828c9099f1a5b647b2a612c72e3fb1820a08e3527921de3a23e09fcca1020fd9ab98420b4885e1d69eb4ffdce60be15767a50 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c933a28d957f40abfdda2575af305f69 |
| SHA1 | 0fe0dca36fa7c004d75a5bf723a23c97f0233184 |
| SHA256 | 93d8e36f9cc702fbd01d73a6911a9fa4df41abe02d0f92f7dcc5900620044fc3 |
| SHA512 | 5f81ea6a719e4067f9024c8b1c53ebe5102d00033b865c1faa316d2757bf15516af27b6ac4fdd7cfa1c4d7b973a4a6de1e83c211dfb29293816d56336aee06da |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f9f8504456f2aa8512b535d0355fd482 |
| SHA1 | 44bfd0694c0e2b4b7a90fef4fa7c51a86ef570c9 |
| SHA256 | 55245c7357f3362d02026f8df08b1391cfaded055a1a42c34bd9643ec9c48d68 |
| SHA512 | 42b2f715175c0357e6ac2a15201a2ce7772524302cb9693cf5969d4fd163b3102b525ce9143fa35e9a00bb78a88b443316e5337ba7741ea986634692beccfcac |
C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.Config
| MD5 | f2650004b13479fd89b2ad0625db67cf |
| SHA1 | 29379ca921f1020cbc67fbe0e7d9e7c7240f27e3 |
| SHA256 | 4766167a0a3a2072c2c64bc740feabe079efb120017df35335f1d6bc73207f47 |
| SHA512 | f8bae589a660c6363e8bc9b9142e56fa1fb5b2aa07218c0f77d8d132bc4ab94350f6f5ffb3f5d143c61473c4dd65f479ed0730e0e167742f7318ffd471d92440 |
C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe
| MD5 | 4ff0948bf5e656a8c61a0a15a78012e8 |
| SHA1 | 24f1633e373c53ace11461b82743739f439b5596 |
| SHA256 | 8409541ec42906a004dafa15fe32b2e0603bfe80ccf12716f3b2e0cbe5eec160 |
| SHA512 | 7a9e571c39706ff3cc7e2ce535e5a7e5b4221774483e6ab245dfe80240709bce3e0df25298660a72d403058f83c7e965ae71f233724f39c13a7a213627300dab |
C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe
| MD5 | 4ff0948bf5e656a8c61a0a15a78012e8 |
| SHA1 | 24f1633e373c53ace11461b82743739f439b5596 |
| SHA256 | 8409541ec42906a004dafa15fe32b2e0603bfe80ccf12716f3b2e0cbe5eec160 |
| SHA512 | 7a9e571c39706ff3cc7e2ce535e5a7e5b4221774483e6ab245dfe80240709bce3e0df25298660a72d403058f83c7e965ae71f233724f39c13a7a213627300dab |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\mmfs2.dll
| MD5 | 200520e6e8b4d675b77971dfa9fb91b3 |
| SHA1 | 0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07 |
| SHA256 | 763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b |
| SHA512 | 8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\KcButton.mfx
| MD5 | 619af4af177ae18c098c504af34daa46 |
| SHA1 | 9f12e2ac12aa78148d1aba4856999dd47d687562 |
| SHA256 | 7ad7ca933a51bcd7458cd281bb9e7e30badb85c919d25572407e5afb22750f5e |
| SHA512 | 112914c83fb2fce858a38f96396fd8dd5a0d49797c7b847641d5ac21a254511059fd668943f1963b2ec2812c98fb0f9aca631407d9b80d9a7265ebcfa2cb6f5f |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\kcedit.mfx
| MD5 | a00acf3af0958898345fca9893cb6f57 |
| SHA1 | 561717e33e2877fd0db99411265186ca468041bd |
| SHA256 | b38ad01ad8a22f3f553530b000d6d061356601d308e6a79284605c30cb0674ad |
| SHA512 | 9435f612a23864ac7e4d22cff927b4155463fdddd8d143b805d7233dd372e9a5975c9a4170de9bcfc3adce4ab9fffdab2937f053e48743d2791753d2dc727850 |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\StaticText.mfx
| MD5 | ae4176fb78eb5d5ccfcdbdfc46a3d132 |
| SHA1 | 933a88a95cb9a7b84434adc7c0061f5a87f41973 |
| SHA256 | 4b56fd3854ed946bf06dbe1675acdb85be4caceb9fb59a94f0157aa92c697f68 |
| SHA512 | cc420b1c001ca7179eb318c8833f99955ae34e38ca4a42fc54775bfb13ab7b43572c4646b65e13e9dd24f9bba92e187445941d8b556482926ae66198421a2508 |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\bigbox.mfx
| MD5 | ad6530e01a4827fba383291847e33036 |
| SHA1 | 6ec72ed182478c050807c0e3270974bf34304aaa |
| SHA256 | a427377e56a804f82a5bcf07b7d5afae920f8bbda2dc5f52ce6a7f84448a8bb1 |
| SHA512 | 33cccc49302f3c257a3ed3b9d3bf0b2dbb347ccba3b6196a01ac317f83c2bd47c5cb9bf47fb677374b95590d62f5626aaf246a318999a4b07c5ee60c4c4ac863 |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\kcini.mfx
| MD5 | a6ad14845999c5aa7adf2911671a7c5b |
| SHA1 | 98dfd5a9584d1c1b330c2c104c1779bd55ded211 |
| SHA256 | 5af175ffb932fb653873dad095dd40f2ab8d3fb56f287213c21bb68652ddad2d |
| SHA512 | 32bb59826b82d47ec420ac2532e1387a85422d2f0ce5370ad2c95b914a7615d3b122dbf4dd045105eb8ffea49324dac57659f0e5f2500b4d0eb75047cb36dfd8 |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\KcBoxA.mfx
| MD5 | 1f5efecff564e3a5424f728370bc9c78 |
| SHA1 | 75eab086c56cfc15cb65ce5af253cbe974f87f3c |
| SHA256 | ec6fb3470217a659c58cf350af667fc84eaf710bd75b3540a1e69b6ee96f8687 |
| SHA512 | ac44c781780ca60605fd8c0c577be46188491b4ce380846a95d9060eb197dd2f02d53b06c27667de589582653b0341d1ef6f21b36dd10dc0e4246af08400efa2 |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\mmf2d3d11.dll
| MD5 | 839633898178f35f6de0b385b7de0ec7 |
| SHA1 | 5396e52c45954f0953cc8cf2095b122f7353180e |
| SHA256 | 5f6563d6bf2f3ceab8b2ca2c15ba4f7fe882a82c1f72b10041b5692c6515a53a |
| SHA512 | b0ed4fce2815dcb783e0b9a786178b337d215e6a4d16df1ddb3c28ccdba13081fee1976669d9f99505cf31b8f1e8d5584fd1aa9732e1add38217222726c76eb8 |
C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\mmf2d3d9.dll
| MD5 | c85bcc9f3049b57aa8ccbb290342ff14 |
| SHA1 | 38f5b81a540f1c995ff8d949702440b70921acc5 |
| SHA256 | bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5 |
| SHA512 | 5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 999abc6dc6aad7bc8598c716cd1285bf |
| SHA1 | fb6c06063dcd6ed20c0077bebe137b5394ebd3df |
| SHA256 | 200dd6361e4984785ce6875d2b351cc6acf712a0bdd8fa7527ad20c069e35f83 |
| SHA512 | dc52da286001ae70f9498e58e5c2e00783379c0d5fcf7afa11c62e3a72d4ba3c2a982b1bac85bf0aaa708975e0ef944cb950db6ef402e6645fad1766edee35d4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c6d85b5acbbd5b4d9812710a03717512 |
| SHA1 | 666f5da1cd6c5e8e543fbb66bf652e4d79f934be |
| SHA256 | ecb651215fd048ad28a19de70dacf9fbdae3a4e50416869e004d5c00ddfcdd0f |
| SHA512 | 4e588d017a30556a3ac1bcf0e124fabe90e1bfbde2fd6ddccec79ce6286136177b759feff628b5c2844c4e1e6d74e36de37d3531ab84381d49a743b02dac6511 |
C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe
| MD5 | cc476031c1be091dbfff916546112c85 |
| SHA1 | 38a9e7d1d1de1b7085553680e89a33d62628e26f |
| SHA256 | 890ceaab0bce99555a1524cdd39f56b960f508ca71ecd03fea787edb69e967f6 |
| SHA512 | 7ff218556fbe1939e8dcc8f982d289f028d1f55cb4f2f1d700c72f5287fa96894e651157e65e19508f81320d57b5b6eed75791bd1b2fba5b21f7b6a9ec0ec7c4 |
C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe
| MD5 | cc476031c1be091dbfff916546112c85 |
| SHA1 | 38a9e7d1d1de1b7085553680e89a33d62628e26f |
| SHA256 | 890ceaab0bce99555a1524cdd39f56b960f508ca71ecd03fea787edb69e967f6 |
| SHA512 | 7ff218556fbe1939e8dcc8f982d289f028d1f55cb4f2f1d700c72f5287fa96894e651157e65e19508f81320d57b5b6eed75791bd1b2fba5b21f7b6a9ec0ec7c4 |
memory/3928-448-0x0000000000620000-0x0000000000634000-memory.dmp
memory/3928-449-0x00007FFECF710000-0x00007FFED01D1000-memory.dmp
memory/3928-450-0x000000001B3C0000-0x000000001B3D0000-memory.dmp
memory/3928-454-0x00007FFECF710000-0x00007FFED01D1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 00df976c3ba0a70d1c9722f36a4365a4 |
| SHA1 | 53e2352d80626cf967bfd9e1246f9efbbe634492 |
| SHA256 | d7611960a7c0bbc43ca4d336b84cabf621c2213cd1766d7a6a695e84c0e36c1c |
| SHA512 | 69f5f61e12e586f55a198586030b99e11a9b60ffef61845c66867a2b2852de5907db69f131eacdab3066cacb6514f3d90c15a9c005279d04ba7c2160c69c4996 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7f657a8073971fe429afa03754b4ae77 |
| SHA1 | f6788acfed033c6cc8b2d1d6c313bd808afce7ef |
| SHA256 | 7432c2f66ce65f2fa159bd730ae346bee059d954b1b915c5bbd5ccb63a4a4971 |
| SHA512 | 235b9594c1548bc6e25e2f24ce6348191111cacbb8065170f1fe95494e438103f66d538f4b1ee8d08531136f86dea22fe5bf836f1b2039f2842111d0b414dc82 |