Malware Analysis Report

2024-11-15 08:07

Sample ID 230806-2ssywsce72
Target https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher-
Tags
mercurialgrabber spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher- was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber spyware stealer

Mercurial Grabber Stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Program crash

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-06 22:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-06 22:51

Reported

2023-08-06 22:54

Platform

win10v2004-20230703-en

Max time kernel

198s

Max time network

204s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher-

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe N/A
N/A N/A C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "243" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133358358877516905" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 4164 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4164 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 3224 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 1108 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 1108 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4796 wrote to memory of 4584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher-

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee3179758,0x7ffee3179768,0x7ffee3179778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29951:84:7zEvent24600

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.Config

C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe

"C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:2

C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe

"C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 424 -p 3928 -ip 3928

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3928 -s 2136

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39b8055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 140.82.114.3:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 3.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
NL 142.250.179.170:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 140.82.113.6:443 api.github.com tcp
US 8.8.8.8:53 170.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 6.113.82.140.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 142.250.179.170:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 141.64.128.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp

Files

\??\pipe\crashpad_4796_ZSNREBFBTEKHFEEF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a3b79fa347cab28e28bc114a877b9053
SHA1 a8d39443c7285c32739c7ab151c61f7bb15e5746
SHA256 91cd6ce2913e302563b5428e51da6f6d9be56e12638320cb77e34ab81ba0b9c8
SHA512 e0c57d86859d4daf9900dceec7b2716469a91e2049633f0f12988982a0a9bc177bbc75f23f9566db0998dceba94f85afec4d01288a41a1e191c8f6a7c71ab957

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0db107cd0d5ed196737d76588767fbf5
SHA1 f24609ff7149ffbba77640bc215d17b7cca77067
SHA256 bf453a9689680b7242bb698a5a7717392faf79d7bab62dd85c88bd06f38a3aef
SHA512 b8e95e6cb96815c9e8b5421b58796a5542b1ffd3fdd006aa5e0cec73388a74e29ed96bd8c9cffb4e7ba08a054f6e48bc3009253e507499b7ebed984c91ef1ef6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 46cabd5360696802de48f4697ffbc919
SHA1 704a2f6b60bce77efa077b60daf50e35a3794759
SHA256 155235c9fcb6f23cc34f3ff97f556842fd076b10d85eeb4a816967345a1193d6
SHA512 214ce71a736ad7d40d06ee0e16a306a500bdc2bc60255cf428ea41ab72185d1574387f358b0974e67b4f1bd1ef625ee27a5723a69b1102fcc38e07b427615a0c

C:\Users\Admin\Downloads\RobloxToolz.rar.crdownload

MD5 9e0315239f3333402b42c51a4814e486
SHA1 e5d2a5f53f27ff704ddd1428b2abddfdf2665205
SHA256 80c81808203ccf210fbd2cf93e2d069bad5a37b6f28e25f1a457873fd27c392a
SHA512 01390b2ef92ab12b5e7e23abcb2840462a2fae41e139fe4339d1a8555ceb4a07deff88544747ba94068c564709d9fece237c2912503cbdb2e50acecfde65081a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c74fa55c611d605a85824ada8bbf78dd
SHA1 54a7a5b7d0d7d5f7743d8adc20a9b527f63ec597
SHA256 111da12f3779f8e4319b1c91039804603039dd0fa9a2ab881a4771efe693ea60
SHA512 7f9deda1c8370f8a5bcf763b03195a98ea56faa2686886de32818453e2d0ed51afbbf438832989462fcbb24b0178fce926b172cafbc33631cae79c7de1bb20a8

C:\Users\Admin\Downloads\RobloxToolz.rar

MD5 9e0315239f3333402b42c51a4814e486
SHA1 e5d2a5f53f27ff704ddd1428b2abddfdf2665205
SHA256 80c81808203ccf210fbd2cf93e2d069bad5a37b6f28e25f1a457873fd27c392a
SHA512 01390b2ef92ab12b5e7e23abcb2840462a2fae41e139fe4339d1a8555ceb4a07deff88544747ba94068c564709d9fece237c2912503cbdb2e50acecfde65081a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e45d9f38094416b53ba86b79b859673f
SHA1 89ddb831408a7f51dbe2ec5f1a726dc903743984
SHA256 a40935e651f42a409b3ce07fa61e09cf683bdbb800fdbee97746ae785afaf62e
SHA512 6b76b68f55bfde4943c19b9d2ac828c9099f1a5b647b2a612c72e3fb1820a08e3527921de3a23e09fcca1020fd9ab98420b4885e1d69eb4ffdce60be15767a50

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c933a28d957f40abfdda2575af305f69
SHA1 0fe0dca36fa7c004d75a5bf723a23c97f0233184
SHA256 93d8e36f9cc702fbd01d73a6911a9fa4df41abe02d0f92f7dcc5900620044fc3
SHA512 5f81ea6a719e4067f9024c8b1c53ebe5102d00033b865c1faa316d2757bf15516af27b6ac4fdd7cfa1c4d7b973a4a6de1e83c211dfb29293816d56336aee06da

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f9f8504456f2aa8512b535d0355fd482
SHA1 44bfd0694c0e2b4b7a90fef4fa7c51a86ef570c9
SHA256 55245c7357f3362d02026f8df08b1391cfaded055a1a42c34bd9643ec9c48d68
SHA512 42b2f715175c0357e6ac2a15201a2ce7772524302cb9693cf5969d4fd163b3102b525ce9143fa35e9a00bb78a88b443316e5337ba7741ea986634692beccfcac

C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.Config

MD5 f2650004b13479fd89b2ad0625db67cf
SHA1 29379ca921f1020cbc67fbe0e7d9e7c7240f27e3
SHA256 4766167a0a3a2072c2c64bc740feabe079efb120017df35335f1d6bc73207f47
SHA512 f8bae589a660c6363e8bc9b9142e56fa1fb5b2aa07218c0f77d8d132bc4ab94350f6f5ffb3f5d143c61473c4dd65f479ed0730e0e167742f7318ffd471d92440

C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe

MD5 4ff0948bf5e656a8c61a0a15a78012e8
SHA1 24f1633e373c53ace11461b82743739f439b5596
SHA256 8409541ec42906a004dafa15fe32b2e0603bfe80ccf12716f3b2e0cbe5eec160
SHA512 7a9e571c39706ff3cc7e2ce535e5a7e5b4221774483e6ab245dfe80240709bce3e0df25298660a72d403058f83c7e965ae71f233724f39c13a7a213627300dab

C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe

MD5 4ff0948bf5e656a8c61a0a15a78012e8
SHA1 24f1633e373c53ace11461b82743739f439b5596
SHA256 8409541ec42906a004dafa15fe32b2e0603bfe80ccf12716f3b2e0cbe5eec160
SHA512 7a9e571c39706ff3cc7e2ce535e5a7e5b4221774483e6ab245dfe80240709bce3e0df25298660a72d403058f83c7e965ae71f233724f39c13a7a213627300dab

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\mmfs2.dll

MD5 200520e6e8b4d675b77971dfa9fb91b3
SHA1 0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07
SHA256 763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b
SHA512 8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\KcButton.mfx

MD5 619af4af177ae18c098c504af34daa46
SHA1 9f12e2ac12aa78148d1aba4856999dd47d687562
SHA256 7ad7ca933a51bcd7458cd281bb9e7e30badb85c919d25572407e5afb22750f5e
SHA512 112914c83fb2fce858a38f96396fd8dd5a0d49797c7b847641d5ac21a254511059fd668943f1963b2ec2812c98fb0f9aca631407d9b80d9a7265ebcfa2cb6f5f

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\kcedit.mfx

MD5 a00acf3af0958898345fca9893cb6f57
SHA1 561717e33e2877fd0db99411265186ca468041bd
SHA256 b38ad01ad8a22f3f553530b000d6d061356601d308e6a79284605c30cb0674ad
SHA512 9435f612a23864ac7e4d22cff927b4155463fdddd8d143b805d7233dd372e9a5975c9a4170de9bcfc3adce4ab9fffdab2937f053e48743d2791753d2dc727850

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\StaticText.mfx

MD5 ae4176fb78eb5d5ccfcdbdfc46a3d132
SHA1 933a88a95cb9a7b84434adc7c0061f5a87f41973
SHA256 4b56fd3854ed946bf06dbe1675acdb85be4caceb9fb59a94f0157aa92c697f68
SHA512 cc420b1c001ca7179eb318c8833f99955ae34e38ca4a42fc54775bfb13ab7b43572c4646b65e13e9dd24f9bba92e187445941d8b556482926ae66198421a2508

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\bigbox.mfx

MD5 ad6530e01a4827fba383291847e33036
SHA1 6ec72ed182478c050807c0e3270974bf34304aaa
SHA256 a427377e56a804f82a5bcf07b7d5afae920f8bbda2dc5f52ce6a7f84448a8bb1
SHA512 33cccc49302f3c257a3ed3b9d3bf0b2dbb347ccba3b6196a01ac317f83c2bd47c5cb9bf47fb677374b95590d62f5626aaf246a318999a4b07c5ee60c4c4ac863

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\kcini.mfx

MD5 a6ad14845999c5aa7adf2911671a7c5b
SHA1 98dfd5a9584d1c1b330c2c104c1779bd55ded211
SHA256 5af175ffb932fb653873dad095dd40f2ab8d3fb56f287213c21bb68652ddad2d
SHA512 32bb59826b82d47ec420ac2532e1387a85422d2f0ce5370ad2c95b914a7615d3b122dbf4dd045105eb8ffea49324dac57659f0e5f2500b4d0eb75047cb36dfd8

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\KcBoxA.mfx

MD5 1f5efecff564e3a5424f728370bc9c78
SHA1 75eab086c56cfc15cb65ce5af253cbe974f87f3c
SHA256 ec6fb3470217a659c58cf350af667fc84eaf710bd75b3540a1e69b6ee96f8687
SHA512 ac44c781780ca60605fd8c0c577be46188491b4ce380846a95d9060eb197dd2f02d53b06c27667de589582653b0341d1ef6f21b36dd10dc0e4246af08400efa2

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\mmf2d3d11.dll

MD5 839633898178f35f6de0b385b7de0ec7
SHA1 5396e52c45954f0953cc8cf2095b122f7353180e
SHA256 5f6563d6bf2f3ceab8b2ca2c15ba4f7fe882a82c1f72b10041b5692c6515a53a
SHA512 b0ed4fce2815dcb783e0b9a786178b337d215e6a4d16df1ddb3c28ccdba13081fee1976669d9f99505cf31b8f1e8d5584fd1aa9732e1add38217222726c76eb8

C:\Users\Admin\AppData\Local\Temp\mrtBCD3.tmp\mmf2d3d9.dll

MD5 c85bcc9f3049b57aa8ccbb290342ff14
SHA1 38f5b81a540f1c995ff8d949702440b70921acc5
SHA256 bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5
SHA512 5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 999abc6dc6aad7bc8598c716cd1285bf
SHA1 fb6c06063dcd6ed20c0077bebe137b5394ebd3df
SHA256 200dd6361e4984785ce6875d2b351cc6acf712a0bdd8fa7527ad20c069e35f83
SHA512 dc52da286001ae70f9498e58e5c2e00783379c0d5fcf7afa11c62e3a72d4ba3c2a982b1bac85bf0aaa708975e0ef944cb950db6ef402e6645fad1766edee35d4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c6d85b5acbbd5b4d9812710a03717512
SHA1 666f5da1cd6c5e8e543fbb66bf652e4d79f934be
SHA256 ecb651215fd048ad28a19de70dacf9fbdae3a4e50416869e004d5c00ddfcdd0f
SHA512 4e588d017a30556a3ac1bcf0e124fabe90e1bfbde2fd6ddccec79ce6286136177b759feff628b5c2844c4e1e6d74e36de37d3531ab84381d49a743b02dac6511

C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe

MD5 cc476031c1be091dbfff916546112c85
SHA1 38a9e7d1d1de1b7085553680e89a33d62628e26f
SHA256 890ceaab0bce99555a1524cdd39f56b960f508ca71ecd03fea787edb69e967f6
SHA512 7ff218556fbe1939e8dcc8f982d289f028d1f55cb4f2f1d700c72f5287fa96894e651157e65e19508f81320d57b5b6eed75791bd1b2fba5b21f7b6a9ec0ec7c4

C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe

MD5 cc476031c1be091dbfff916546112c85
SHA1 38a9e7d1d1de1b7085553680e89a33d62628e26f
SHA256 890ceaab0bce99555a1524cdd39f56b960f508ca71ecd03fea787edb69e967f6
SHA512 7ff218556fbe1939e8dcc8f982d289f028d1f55cb4f2f1d700c72f5287fa96894e651157e65e19508f81320d57b5b6eed75791bd1b2fba5b21f7b6a9ec0ec7c4

memory/3928-448-0x0000000000620000-0x0000000000634000-memory.dmp

memory/3928-449-0x00007FFECF710000-0x00007FFED01D1000-memory.dmp

memory/3928-450-0x000000001B3C0000-0x000000001B3D0000-memory.dmp

memory/3928-454-0x00007FFECF710000-0x00007FFED01D1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 00df976c3ba0a70d1c9722f36a4365a4
SHA1 53e2352d80626cf967bfd9e1246f9efbbe634492
SHA256 d7611960a7c0bbc43ca4d336b84cabf621c2213cd1766d7a6a695e84c0e36c1c
SHA512 69f5f61e12e586f55a198586030b99e11a9b60ffef61845c66867a2b2852de5907db69f131eacdab3066cacb6514f3d90c15a9c005279d04ba7c2160c69c4996

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7f657a8073971fe429afa03754b4ae77
SHA1 f6788acfed033c6cc8b2d1d6c313bd808afce7ef
SHA256 7432c2f66ce65f2fa159bd730ae346bee059d954b1b915c5bbd5ccb63a4a4971
SHA512 235b9594c1548bc6e25e2f24ce6348191111cacbb8065170f1fe95494e438103f66d538f4b1ee8d08531136f86dea22fe5bf836f1b2039f2842111d0b414dc82