hxxps://external[.]instastalker[.]net/aHR0cHM6Ly9zY29udGVudC1sZ2EzLTEuY2RuaW5zdGFncmFtLmNvbS9vMS92L3QxNi9mMS9tNzgvMjI0MjRFNjA0ODFCNzA4MTI0NUFCNzM4NTVBNDZGQkNfdmlkZW9fZGFzaGluaXQubXA0P2VmZz1leUoyWlc1amIyUmxYM1JoWnlJNkluWjBjMTkyYjJSZmRYSnNaMlZ1TG5OMGIzSjVMbU14TGpVM05pNWlZWE5sYkdsdVpTSjkmX25jX2h0PXNjb250ZW50LWxnYTMtMS5jZG5pbnN0YWdyYW0uY29tJl9uY19jYXQ9MTAwJnZzPTE0NTg0MjY5MTEzODU4OTdfMjg3MTAyODYyMyZfbmNfdnM9SEJrc0ZRSVlVV2xuWDNod2RsOXdiR0ZqWlcxbGJuUmZjR1Z5YldGdVpXNTBYM1l5THpJeU5ESTBSVFl3TkRneFFqY3dPREV5TkRWQlFqY3pPRFUxUVRRMlJrSkRYM1pwWkdWdlgyUmhjMmhwYm1sMExtMXdOQlVBQXNnQkFCVUNHRHB3WVhOemRHaHliM1ZuYUY5bGRtVnljM1J2Y21VdlIwaFBkRlpvYWw4d1lsRlNUWE5CUTBGTExVeEJVa1ZsTUc5V1oySndhM2RCUVVGR0ZRSUN5QUVBS0FBWUFCc0JpQWQxYzJWZmIybHNBVEVWQUFBbSUyRk8zS3Y5Q0c5ajhWQWlnQ1F6TXNGMEF2ek16TXpNek5HQkprWVhOb1gySmhjMlZzYVc1bFh6RmZkakVSQUhYb0J3QSUzRCZjY2I9OS00Jm9oPTAwX0FmQkFORzVMWVpucE5BVFBhWkgwZW9KRTBISmlreUtsYlVod3dBSGVZbXdIZVEmb2U9NjYxMjNCMTYmX25jX3NpZD05ODJjYzc=

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://external.instastalker.net/aHR0cHM6Ly9zY29udGVudC1sZ2EzLTEuY2RuaW5zdGFncmFtLmNvbS9vMS92L3QxNi9mMS9tNzgvMjI0MjRFNjA0ODFCNzA4MTI0NUFCNzM4NTVBNDZGQkNfdmlkZW9fZGFzaGluaXQubXA0P2VmZz1leUoyWlc1amIyUmxYM1JoWnlJNkluWjBjMTkyYjJSZmRYSnNaMlZ1TG5OMGIzSjVMbU14TGpVM05pNWlZWE5sYkdsdVpTSjkmX25jX2h0PXNjb250ZW50LWxnYTMtMS5jZG5pbnN0YWdyYW0uY29tJl9uY19jYXQ9MTAwJnZzPTE0NTg0MjY5MTEzODU4OTdfMjg3MTAyODYyMyZfbmNfdnM9SEJrc0ZRSVlVV2xuWDNod2RsOXdiR0ZqWlcxbGJuUmZjR1Z5YldGdVpXNTBYM1l5THpJeU5ESTBSVFl3TkRneFFqY3dPREV5TkRWQlFqY3pPRFUxUVRRMlJrSkRYM1pwWkdWdlgyUmhjMmhwYm1sMExtMXdOQlVBQXNnQkFCVUNHRHB3WVhOemRHaHliM1ZuYUY5bGRtVnljM1J2Y21VdlIwaFBkRlpvYWw4d1lsRlNUWE5CUTBGTExVeEJVa1ZsTUc5V1oySndhM2RCUVVGR0ZRSUN5QUVBS0FBWUFCc0JpQWQxYzJWZmIybHNBVEVWQUFBbSUyRk8zS3Y5Q0c5ajhWQWlnQ1F6TXNGMEF2ek16TXpNek5HQkprWVhOb1gySmhjMlZzYVc1bFh6RmZkakVSQUhYb0J3QSUzRCZjY2I9OS00Jm9oPTAwX0FmQkFORzVMWVpucE5BVFBhWkgwZW9KRTBISmlreUtsYlVod3dBSGVZbXdIZVEmb2U9NjYxMjNCMTYmX25jX3NpZD05ODJjYzc=

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
6704	RobloxPlayerInstaller.exe
6684	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
4308	RobloxPlayerBeta.exe

Loads dropped DLL 3 IoCs

pid	Process
6684	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
4308	RobloxPlayerBeta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
6684	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs

pid	Process
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
4308	RobloxPlayerBeta.exe
4308	RobloxPlayerBeta.exe
4308	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PlayerList\BlockedIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PurchasePrompt\RightButton.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Settings\LeaveGame\Button_1080.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\PlatformContent\pc\textures\corrodedmetal\reflection.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\PlatformContent\pc\textures\slate\diffuse.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\LayeredClothingEditor\WorkspaceIcons\Outer Cage.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Controls\DefaultController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarEditorImages\Sliders\body-type-slider-background.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\LegacyRbxGui\sandside.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarEditorImages\Catalog_LightTheme.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\DevConsole\Clear.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioSharedUI\places.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarEditorImages\AvatarEditor_LightTheme.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-instudio-8x8.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\fonts\families\Nunito.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\DevConsole\Sort.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\MenuBar\arrow_left.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\Unmuted40.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\sky\cloudsfb.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarEditorImages\Stretch\gr-tail.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PlayerList\AdminIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PlayerList\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\ScreenshotHud\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Settings\Help\BButtonDark.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\ExtraContent\textures\ui\LuaChat\9-slice\scroll-bar.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\image_scrollbar_vertical_bot.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\TerrainTools\import_selectImg_dark.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\InspectMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioSharedUI\preview_expand.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioToolbox\AssetPreview\fullscreen_exit.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\icon_whitetriangle_down.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\fonts\NotoNaskhArabicUI-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\chatBubble_bot_notifyGray_dotDotDot.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\RoactStudioWidgets\toggle_disable_light.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VR\buttonActive.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\img_eventGroupMarker_border_selected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\ExtraContent\textures\ui\LuaApp\icons\ic-more-friends.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\PlatformContent\pc\textures\ice\normal.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-ingame-14x14.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\InspectMenu\ico_favorite_off.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Settings\LeaveGame\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\ExtraContent\textures\ui\LuaApp\graphic\gr-bloom-circle.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\ExtraContent\textures\ui\LuaApp\graphic\light_bg.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\button_zoom_hoverpressed_left.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\ErrorPrompt\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\PublishPlaceAs\MoreDetails.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\TopBar\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\SpeakerNew\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\ic-checkbox-off.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarImporter\img_dark_custom.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-8764cc9c84a5459a\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-8764cc9c84a5459a\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-8764cc9c84a5459a\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\version = "version-8764cc9c84a5459a"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-636c3b2697eb4e58"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-8764cc9c84a5459a\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\version = "version-8764cc9c84a5459a"	RobloxPlayerInstaller.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
6704	RobloxPlayerInstaller.exe
6704	RobloxPlayerInstaller.exe
6684	RobloxPlayerBeta.exe
6684	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe
4308	RobloxPlayerBeta.exe
4308	RobloxPlayerBeta.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: 33	844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	844	AUDIODG.EXE
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	6704	RobloxPlayerInstaller.exe
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeDebugPrivilege	3528	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
6684	RobloxPlayerBeta.exe
5868	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3404 wrote to memory of 3528	3404	firefox.exe	110
PID 3528 wrote to memory of 3116	3528	firefox.exe	111
PID 3528 wrote to memory of 3116	3528	firefox.exe	111
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 972	3528	firefox.exe	112
PID 3528 wrote to memory of 5240	3528	firefox.exe	113
PID 3528 wrote to memory of 5240	3528	firefox.exe	113
PID 3528 wrote to memory of 5240	3528	firefox.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://external.instastalker.net/aHR0cHM6Ly9zY29udGVudC1sZ2EzLTEuY2RuaW5zdGFncmFtLmNvbS9vMS92L3QxNi9mMS9tNzgvMjI0MjRFNjA0ODFCNzA4MTI0NUFCNzM4NTVBNDZGQkNfdmlkZW9fZGFzaGluaXQubXA0P2VmZz1leUoyWlc1amIyUmxYM1JoWnlJNkluWjBjMTkyYjJSZmRYSnNaMlZ1TG5OMGIzSjVMbU14TGpVM05pNWlZWE5sYkdsdVpTSjkmX25jX2h0PXNjb250ZW50LWxnYTMtMS5jZG5pbnN0YWdyYW0uY29tJl9uY19jYXQ9MTAwJnZzPTE0NTg0MjY5MTEzODU4OTdfMjg3MTAyODYyMyZfbmNfdnM9SEJrc0ZRSVlVV2xuWDNod2RsOXdiR0ZqWlcxbGJuUmZjR1Z5YldGdVpXNTBYM1l5THpJeU5ESTBSVFl3TkRneFFqY3dPREV5TkRWQlFqY3pPRFUxUVRRMlJrSkRYM1pwWkdWdlgyUmhjMmhwYm1sMExtMXdOQlVBQXNnQkFCVUNHRHB3WVhOemRHaHliM1ZuYUY5bGRtVnljM1J2Y21VdlIwaFBkRlpvYWw4d1lsRlNUWE5CUTBGTExVeEJVa1ZsTUc5V1oySndhM2RCUVVGR0ZRSUN5QUVBS0FBWUFCc0JpQWQxYzJWZmIybHNBVEVWQUFBbSUyRk8zS3Y5Q0c5ajhWQWlnQ1F6TXNGMEF2ek16TXpNek5HQkprWVhOb1gySmhjMlZzYVc1bFh6RmZkakVSQUhYb0J3QSUzRCZjY2I9OS00Jm9oPTAwX0FmQkFORzVMWVpucE5BVFBhWkgwZW9KRTBISmlreUtsYlVod3dBSGVZbXdIZVEmb2U9NjYxMjNCMTYmX25jX3NpZD05ODJjYzc=
1⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5776 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5884 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6120 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=1256 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3704 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:860

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x384
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.0.1397362028\119765451" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b36b0adb-5704-4e3b-9a10-ef9b5ac6a550} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 1964 1e9761d8d58 gpu
    3⤵
    PID:3116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.1.93851615\348469489" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e627346f-c60a-4166-8a5d-850b16170b7b} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2364 1e976106558 socket
    3⤵
    PID:972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.2.680940822\1195845944" -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4924d05c-f650-40c5-b661-4e677b0df67c} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 3000 1e97a2c7b58 tab
    3⤵
    PID:5240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.3.252595045\2049734878" -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c35aed1c-7bff-47b2-bbf1-6b4313c921a0} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 3512 1e978ac4b58 tab
    3⤵
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.4.2011122503\565102667" -childID 3 -isForBrowser -prefsHandle 4612 -prefMapHandle 4564 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb3f1cbb-b5d9-4f1a-9bd6-07e37afb1203} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4624 1e97c135158 tab
    3⤵
    PID:5808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.5.1288831132\1053359529" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 5068 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bca02fcb-f132-401f-9c34-7ca42ecd941c} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5052 1e962567258 tab
    3⤵
    PID:5276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.6.196694931\152489149" -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5992b58b-ec6b-4b52-b25d-fff07a4a73f8} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5192 1e96256d658 tab
    3⤵
    PID:5776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.7.1179533244\669481297" -childID 6 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef0d922e-213a-42ee-8c75-e57549bb54f5} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5084 1e97c667e58 tab
    3⤵
    PID:5768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.8.1567327051\387215887" -childID 7 -isForBrowser -prefsHandle 5192 -prefMapHandle 5552 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e74baa1b-2164-46ed-a577-58b2900ce322} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5556 1e97e42de58 tab
    3⤵
    PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.9.452819283\2083265368" -childID 8 -isForBrowser -prefsHandle 4944 -prefMapHandle 4940 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c06b4ae6-3308-4926-b188-75e1b4559b73} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4936 1e9787a4058 tab
    3⤵
    PID:6556
- - C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
    "C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6704
  - - C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.exe
      "C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.exe" -app -isInstallerLaunch
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of UnmapMainImage
      PID:6684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6368 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:6316

C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:5868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5700

C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.exe
"C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
5.2MB

MD5
9c04780c171c87286e4a12c1df06a6f0

SHA1
8410ddde9c9bc4ec3da8419ec4a2513c6945a8d3

SHA256
49f4b148b57b58808444a88f4674f7b7868dc2599c29b001341741508b31db53

SHA512
59fbcdd87ecf033d0e817c1b4dea628fb9b4ca1d5989fe2572c26acb0b1c7b7ff898d11de73790024314409993a82547446b3b6ff1df16b5e9a102e50cabe940

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.dll

Filesize
24.3MB

MD5
d48aa991a915704dcec857b12afb8dba

SHA1
1491866e47711f128254f04c4cd6eb221bc818c5

SHA256
814e7c313e9be3919b98aef8b6341ca360695cf32f289084bf436d3e600281c6

SHA512
4ceeaf34cdf70e920705b51490342cc84e8dba0c5704a707cbcceb9e8acf63064315d85d35fec2caee6d53d2b94e5376ed563ac2f7152fb52a3c2106aa43ad04

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.dll

Filesize
4.7MB

MD5
8195f4c1c420386555d3632007ccea50

SHA1
df0694da6338ed78af00e4e4dbbdbccf2e29cdca

SHA256
f373c2496fe124dc8dbaba1a7ee1f2f7c7e149a9e7683d28cd4b1224d34c65fe

SHA512
8fd536dd6a341651eaf939c2a73003280e1c7d37839efa63b25aed5d5dfe797a111031f999fd5984e7945a248a8bd1a45099db01381152a5fe7ab28df2105035

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.exe

Filesize
81.4MB

MD5
a336c22a694b067873be86601f0744fc

SHA1
7deeb9a5a961289a08ad9527417d8d93927a9340

SHA256
1068e679febb810b61f67526b52207fa99cb4ea2949d2460a84dec45d32d0a7e

SHA512
fd5f0b9f0817cf004b10b687940980b8d58be39b48fc108b24cc33ea1076da2d68f112b76e3911f88f11c39005412343a30ee6419cd3f14befbb2133ee388290

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\RobloxPlayerBeta.exe

Filesize
4.7MB

MD5
6003cfd6ef0e9726a69f1da79e2528d0

SHA1
5d759fde2d7b20d774f52f3600597747d35e2864

SHA256
2ce24171bee8215cbaa2e0a3a929d1534b3a09f20dcf3ef25f6b302ecc95a522

SHA512
8ca5dab54049477cc410a0a34e79f1f48d45177d2bc8f7b2eeef82379a69f93e1078f6d5b72e05aae383065b064f279458dd0cb97fb513a74509669105a9162e

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\f54b7571f1901e471133d4723140048a

Filesize
5.6MB

MD5
f54b7571f1901e471133d4723140048a

SHA1
1076f97284ecb4e0b53be62af0c8de7bcef507f1

SHA256
32182938735b51764cb2b4f788a5ee316fbd56581aecb9698a77470981392b71

SHA512
df79b7b13d24e9f3c2fb8b62c58eb06e69f0dff88ecfe57190df1118f0c4e800dee7e6f10db41140c42bbf689405ba2a44f37521ba30679c866c195ef9732b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2d037fd67cd397caa34931ba4b8c8120

SHA1
60d626f2ed520304f5c42171cd6ee3fd14d80786

SHA256
7f8f3b66fb7b69b0ce9e4a2d5e054c3ab7ef5000d0bfc56ac5408bed3e2d3c25

SHA512
53f48adafde4c19b559df06e3f67a9155b7b2fae1dcc89ccaa7dc1d0d2b5ce0b99491485a980cedd827c99152411e2701f603e583bfb7bdd528467eea4fb02de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\09103677-8184-4e3e-899c-3d24c3ce2c80

Filesize
746B

MD5
3e5e69a1c932dd0d81e0d46c1ccf2b86

SHA1
bc970fe3d18f2f6e0c8e0aea4bcc6b5a2898c758

SHA256
ab9b7a2daae022500da0f8eeef9f34e3519fafab94d8e1282544be372f21a034

SHA512
0fc039d5d256aa3bf36a15c2d5e76d16a185f9576bb9403d1c805e811088150a571a9426db8f720db138bddc621ebcfd569262bf97277edfbfb17a369da4cc29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\a3fec62b-7fd3-4664-9cba-c9850662fd39

Filesize
11KB

MD5
3bcefed1aefb65c5413d7a3947fda364

SHA1
4b79568359f0d2021e174a28436be3ff39a638c9

SHA256
3187a4be32f1d2efbffdfc7499876c0d1a582610d76da1c9ca50ab8f5c0cf64a

SHA512
e39ca3c5c9698071c6e40febb45eeef1f9d0f3a5d9967720406305f05613008c30eb5ad19ece314adefb041dc44c213e5c9e781eda54f12d14e85dbc8e2bb06e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
7KB

MD5
93ce4262f55078f820397b5b6ca7d1f8

SHA1
9832db25e41c678f9a7d89920d9256c8d4086337

SHA256
78f27d4b627725bf545a3944d28f55064163bb7f043d4bb2effb99c644676349

SHA512
30b9442323146b2fda74a1cb7bb51828f4f7c0a2b90178bd1c79ad756b37719c7e94fadfd20a58053b08559c8f64b771808aa111639e170bc6f35891d1727d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
0608fd6916ab864c81c0fa0bf0c8237c

SHA1
094461ba9b232bec59495b4428f8b4b4ca720b11

SHA256
2793fc631d38c990ce79f007a5d40a8fc6a46d0d826156b6b540eba2044edcdf

SHA512
2f1f7a24e30dd9f070bdfefbf98d42b0e1b69f8ff168d185f5db32180fabb855aac4272145b5dd27bfb36ebd6a7f1b9c8c7f93d4fe6ed75f7bfb0bcc0bb09772

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
787f7a9f99b730e8e62eb3b5ca606876

SHA1
90454863e92ec2ac216aed7d08a4440eeec99b6e

SHA256
1e8a5c4940bd558a9ca760492f514d13e95c39a3dcca2bf5b87dc96d939a0c84

SHA512
6d80f0e003aa5169c54e40945fb560164b9d5608221ebf83c2f8aa581b9c66c030e234f481375dcd7df5f1e6bb085f066f20fd2b35684859c2087011588da615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
4ad73dc50dac5a286a20cb32b3227c79

SHA1
a47c2b90786c57f86843727bf9257da23d16e164

SHA256
d1a61db8977ddd69d15546183d66c1e1b264a5bea652021f9158a239d4cae198

SHA512
27d44bf262c2abe808c2af2ab85184dee2fdd1aa2efc6a80552f1110aad5485728030fe734d70ec998deb606770f9d9330c308602f54efb6d54f91366fb57ea3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
e2e758176a4342e1b035bac28ab0dd91

SHA1
a73014508bb3f083ed175bc2f4f80270cde8901e

SHA256
4f490927eb8f56085b1c1b9290ffe4e6f50f48807d1463be0c6aaa548a8a68c8

SHA512
92760af088a251c774102fd32213f7a43e5eaa15b3a65e3234f90660109ddc4401b0899d9201e9a0ff3bd1033df15caf57431c9e508917bd93b6f835cd2d1a18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
e4c0427ae559d8e08e2afe8288747073

SHA1
6cf9fe0a9186a553722a91e6e41db784628a8167

SHA256
f3663840add71224c3487583b6672696dc9d31de9e2e9cfd50ea81a6174e39ef

SHA512
f47a38c302627780494521c0458ee06cd883a3ca9f2077a1381f2a54a77dce5a944da3f01f37a3043e4dc065b4832d88e3343c3c9278fca361071ca5869aea74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
3a1eaa3b3831d273ffd475300aed133f

SHA1
b8b615766306c7220df351f3c32fbd042f2b163b

SHA256
838bba803454ea02ddf86b5d002dc297d45baf00d8c182b9efae9d8b97d3e2e9

SHA512
2e15316ac10b6a0a617ac1e6b06173852d50a6d54c2ea3a4fd82a133809839d2e35e4dcfd949a1cdd2cfc6d5aa31fbe7590ae88b1b2c226b9285c4419b3a9ac3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
18b211b5a4f7da1978a9b9c5edbc8f64

SHA1
9bb9217d8749bb7e5cfbd3188d83e66351bdf7f0

SHA256
546715ff4a53f0fc010cbe369826a7f710e07928d85aea31feca05ebbab52374

SHA512
5bcace0df9acc3b46dd833a35e8029c766fb169c98f8a2ac103cc5ba992bcb59843f661ef9c1a7f3814b561916fa1e3f1fb0b77532e850f0b5985bdd0d71db23

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe

Filesize
5.3MB

MD5
666f69bae6e56a62b7af6cb8496f677f

SHA1
ae052de936deeebe5fb8d8c059eb84fa38707c4d

SHA256
586adc8fe02d5ac562fbc338df3555732d9d0b77db7cad306aadec22447ce6f8

SHA512
ee479171bf4dbc0b7d690202e0a6c09ba88cac1a1a34e4f115c9d0c65f1ca752cf3d180d6047fa1066da933a48e8cac070d4f1dceec8abfd8ee1ab3590ff50ee

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerInstaller.svs3usVx.exe.part

Filesize
431KB

MD5
7f046242560ff143b1191e7e47ed6b79

SHA1
83e2e95ab40b12b599ceb1a9d866a3d9a5797401

SHA256
e9828bbb8e5db04e4df7c7b2e33b080a4079af410d2da7296964f361459dc602

SHA512
78452f2363cb24a6f3b638c03f8fc8231f3d60235741922f2ecb92077684358725c19d31cef17c7c0f42587b5d9565bf015ba2d18a2dd92a090ef5dc68488ee2

Download Submit
memory/4308-815-0x00000279AFCA0000-0x00000279AFCA1000-memory.dmp

Filesize
4KB

Download
memory/6684-666-0x00007FFEC95C0000-0x00007FFEC95F0000-memory.dmp

Filesize
192KB

Download
memory/6684-671-0x00007FFEC9C80000-0x00007FFEC9C8E000-memory.dmp

Filesize
56KB

Download
memory/6684-647-0x00007FFECB910000-0x00007FFECB940000-memory.dmp

Filesize
192KB

Download
memory/6684-646-0x00007FFECB910000-0x00007FFECB940000-memory.dmp

Filesize
192KB

Download
memory/6684-648-0x00007FFECB910000-0x00007FFECB940000-memory.dmp

Filesize
192KB

Download
memory/6684-649-0x00007FFECB9A0000-0x00007FFECB9A5000-memory.dmp

Filesize
20KB

Download
memory/6684-644-0x00007FFECB910000-0x00007FFECB940000-memory.dmp

Filesize
192KB

Download
memory/6684-650-0x00007FFECB500000-0x00007FFECB510000-memory.dmp

Filesize
64KB

Download
memory/6684-653-0x00007FFECB590000-0x00007FFECB5A0000-memory.dmp

Filesize
64KB

Download
memory/6684-654-0x00007FFECB5B0000-0x00007FFECB5C0000-memory.dmp

Filesize
64KB

Download
memory/6684-656-0x00007FFECB5B0000-0x00007FFECB5C0000-memory.dmp

Filesize
64KB

Download
memory/6684-658-0x00007FFECB5B0000-0x00007FFECB5C0000-memory.dmp

Filesize
64KB

Download
memory/6684-657-0x00007FFECB5B0000-0x00007FFECB5C0000-memory.dmp

Filesize
64KB

Download
memory/6684-660-0x00007FFECB7A0000-0x00007FFECB7A1000-memory.dmp

Filesize
4KB

Download
memory/6684-661-0x00007FFEC9340000-0x00007FFEC9350000-memory.dmp

Filesize
64KB

Download
memory/6684-664-0x00007FFEC95C0000-0x00007FFEC95F0000-memory.dmp

Filesize
192KB

Download
memory/6684-665-0x00007FFEC95C0000-0x00007FFEC95F0000-memory.dmp

Filesize
192KB

Download
memory/6684-643-0x00007FFECB8C0000-0x00007FFECB8D0000-memory.dmp

Filesize
64KB

Download
memory/6684-668-0x00007FFEC95C0000-0x00007FFEC95F0000-memory.dmp

Filesize
192KB

Download
memory/6684-667-0x00007FFEC95C0000-0x00007FFEC95F0000-memory.dmp

Filesize
192KB

Download
memory/6684-669-0x00007FFEC9BD0000-0x00007FFEC9BE0000-memory.dmp

Filesize
64KB

Download
memory/6684-670-0x00007FFEC9BD0000-0x00007FFEC9BE0000-memory.dmp

Filesize
64KB

Download
memory/6684-672-0x00007FFEC9C80000-0x00007FFEC9C8E000-memory.dmp

Filesize
56KB

Download
memory/6684-674-0x00007FFEC9C80000-0x00007FFEC9C8E000-memory.dmp

Filesize
56KB

Download
memory/6684-676-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp

Filesize
64KB

Download
memory/6684-677-0x00007FFECA190000-0x00007FFECA1A0000-memory.dmp

Filesize
64KB

Download
memory/6684-682-0x00007FFECA1B0000-0x00007FFECA1BB000-memory.dmp

Filesize
44KB

Download
memory/6684-681-0x00007FFECA1B0000-0x00007FFECA1BB000-memory.dmp

Filesize
44KB

Download
memory/6684-680-0x00007FFECA1B0000-0x00007FFECA1BB000-memory.dmp

Filesize
44KB

Download
memory/6684-679-0x00007FFECA1B0000-0x00007FFECA1BB000-memory.dmp

Filesize
44KB

Download
memory/6684-678-0x00007FFECA1B0000-0x00007FFECA1BB000-memory.dmp

Filesize
44KB

Download
memory/6684-675-0x00007FFEC9C80000-0x00007FFEC9C8E000-memory.dmp

Filesize
56KB

Download
memory/6684-673-0x00007FFEC9C80000-0x00007FFEC9C8E000-memory.dmp

Filesize
56KB

Download
memory/6684-645-0x00007FFECB910000-0x00007FFECB940000-memory.dmp

Filesize
192KB

Download
memory/6684-663-0x00007FFEC9450000-0x00007FFEC9460000-memory.dmp

Filesize
64KB

Download
memory/6684-662-0x00007FFEC9450000-0x00007FFEC9460000-memory.dmp

Filesize
64KB

Download
memory/6684-659-0x00007FFEC9340000-0x00007FFEC9350000-memory.dmp

Filesize
64KB

Download
memory/6684-655-0x00007FFECB5B0000-0x00007FFECB5C0000-memory.dmp

Filesize
64KB

Download
memory/6684-684-0x00007FFEC8ED0000-0x00007FFEC8EE0000-memory.dmp

Filesize
64KB

Download
memory/6684-688-0x00007FFEC9000000-0x00007FFEC9026000-memory.dmp

Filesize
152KB

Download
memory/6684-689-0x00007FFEC9000000-0x00007FFEC9026000-memory.dmp

Filesize
152KB

Download
memory/6684-691-0x00007FFEC9000000-0x00007FFEC9026000-memory.dmp

Filesize
152KB

Download
memory/6684-692-0x00007FFEC96C0000-0x00007FFEC96E7000-memory.dmp

Filesize
156KB

Download
memory/6684-693-0x00007FFEC96C0000-0x00007FFEC96E7000-memory.dmp

Filesize
156KB

Download
memory/6684-694-0x00007FFEC96C0000-0x00007FFEC96E7000-memory.dmp

Filesize
156KB

Download
memory/6684-697-0x00007FFEC96C0000-0x00007FFEC96E7000-memory.dmp

Filesize
156KB

Download
memory/6684-699-0x00007FFEC9080000-0x00007FFEC90A2000-memory.dmp

Filesize
136KB

Download
memory/6684-701-0x00007FFEC9080000-0x00007FFEC90A2000-memory.dmp

Filesize
136KB

Download
memory/6684-702-0x00007FFEC9080000-0x00007FFEC90A2000-memory.dmp

Filesize
136KB

Download
memory/6684-703-0x00007FFEC9080000-0x00007FFEC90A2000-memory.dmp

Filesize
136KB

Download
memory/6684-700-0x00007FFEC9080000-0x00007FFEC90A2000-memory.dmp

Filesize
136KB

Download
memory/6684-698-0x00007FFEC96C0000-0x00007FFEC96E7000-memory.dmp

Filesize
156KB

Download
memory/6684-696-0x00007FFEC96C0000-0x00007FFEC96E7000-memory.dmp

Filesize
156KB

Download
memory/6684-695-0x00007FFEC96C0000-0x00007FFEC96E7000-memory.dmp

Filesize
156KB

Download
memory/6684-690-0x00007FFEC9000000-0x00007FFEC9026000-memory.dmp

Filesize
152KB

Download
memory/6684-687-0x00007FFEC9000000-0x00007FFEC9026000-memory.dmp

Filesize
152KB

Download
memory/6684-686-0x00007FFEC8FD0000-0x00007FFEC8FE0000-memory.dmp

Filesize
64KB

Download
memory/6684-685-0x00007FFEC8FD0000-0x00007FFEC8FE0000-memory.dmp

Filesize
64KB

Download
memory/6684-683-0x00007FFEC8ED0000-0x00007FFEC8EE0000-memory.dmp

Filesize
64KB

Download
memory/6684-652-0x00007FFECB590000-0x00007FFECB5A0000-memory.dmp

Filesize
64KB

Download
memory/6684-651-0x00007FFECB500000-0x00007FFECB510000-memory.dmp

Filesize
64KB

Download
memory/6684-641-0x00007FFECB7B0000-0x00007FFECB7C0000-memory.dmp

Filesize
64KB

Download
memory/6684-721-0x00000238C78C0000-0x00000238C78C1000-memory.dmp

Filesize
4KB

Download
memory/6684-642-0x00007FFECB8C0000-0x00007FFECB8D0000-memory.dmp

Filesize
64KB

Download
memory/6684-640-0x00007FFECB7B0000-0x00007FFECB7C0000-memory.dmp

Filesize
64KB

Download
memory/6684-639-0x00000238C78C0000-0x00000238C78C1000-memory.dmp

Filesize
4KB

Download