Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
267s -
max time network
304s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 14:43
Static task
static1
Behavioral task
behavioral1
Sample
RobloxPlayerLauncher.exe
Resource
win7-20240221-en
General
-
Target
RobloxPlayerLauncher.exe
-
Size
2.1MB
-
MD5
a37cac76cc02bf62462a514281e29047
-
SHA1
5b430683926059ef58df924fd87638abb2d82eab
-
SHA256
af4f0da458195e016f0a5e395df89c36f005bf24ca1ddd68a35373ba8ff66734
-
SHA512
c94ffc5ba4a4abddb437f46115f1eb83e3b6a51224860e337f4286edd0e8442676f3b999a28234c34f61f983cbbc2363fb953306dfe1ef98d710752e0e29ef51
-
SSDEEP
49152:NYuRj40EoNbMp3zEKzIATbqa3q2WrT2/MyPMQ3dSIDTrb6SMg:ucjCoNbGzEKzRPbP
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation RobloxPlayerLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation RobloxPlayerLauncher.exe -
Executes dropped EXE 2 IoCs
pid Process 1472 RobloxPlayerLauncher.exe 2892 RobloxPlayerLauncher.exe -
Loads dropped DLL 8 IoCs
pid Process 1300 RobloxPlayerLauncher.exe 1472 RobloxPlayerLauncher.exe 1472 RobloxPlayerLauncher.exe 1472 RobloxPlayerLauncher.exe 1472 RobloxPlayerLauncher.exe 1472 RobloxPlayerLauncher.exe 1472 RobloxPlayerLauncher.exe 1472 RobloxPlayerLauncher.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerLauncher.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerLauncher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\fonts\PermanentMarker-Regular.ttf RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\DeveloperFramework\PageNavigation\button_control_end.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\MaterialGenerator\Materials\Ice.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\PathEditor\Tangent_Handle.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioSharedUI\meshes.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Controls\XboxController\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\InspectMenu\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Settings\MenuBarIcons\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarEditorImages\Sliders\gr-slide-bar-empty.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\Debugger\Breakpoints\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\MaterialManager\Gradient_Hover_DT.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\TerrainTools\button_hover.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\TerrainTools\icon_picker_disable_dark.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PlayerList\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\PlatformContent\pc\textures\wangIndex.dds RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\PlatformContent\pc\textures\water\normal_01.dds RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AssetImport\btn_light_filepicker_28x28.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioToolbox\AudioPreview\play.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\RecordDown.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Settings\Help\ResetIcon.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\SpeakerLight\Unmuted60.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\MaterialGenerator\Materials\Marble.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioToolbox\AssetConfig\creations.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Slider.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PlayerList\SelectOn.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\Misc\UnmuteAll.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ViewSelector\bottom_hover.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\sky\moon.jpg RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarEditorImages\CircleCutoutLarge.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarEditorImages\DarkPixel.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioToolbox\AssetConfig\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\TerrainTools\import_selectImg_dark.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarCompatibilityPreviewer\bg_light.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Keyboard\close_button_selection.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PurchasePrompt\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\fonts\AccanthisADFStd-Regular.otf RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\img_eventMarker_border.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Controls\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Controls\XboxController\ButtonX.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Settings\Slider\More.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\TopBar\HealthBarTV.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\configs\DateTimeLocaleConfigs\it-it.json RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\PathEditor\Control_Point.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\TagEditor\VisibilityOnDarkTheme.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\dialog_purpose_quest.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Settings\Radial\BottomRight.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\InspectMenu\gr-item-selector.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\PlatformContent\pc\textures\pebble\diffuse.dds RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\avatar\compositing\CompositRightLegBase.mesh RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\Cursors\KeyboardMouse\IBeamCursor.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\MaterialManager\Favorites.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\Controls\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PurchasePrompt\RightButton.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\PurchasePrompt\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\Unmuted20.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VoiceChat\SpeakerLight\Error.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\VR\Radial\Icons\Backpack.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\transformFiveDegrees.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AnimationEditor\ic-checkbox-off.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\AvatarEditorImages\Sliders\[email protected] RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\DeveloperInspector\ToolbarIcon.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\StudioToolbox\ScrollBarBottom.png RobloxPlayerLauncher.exe File created C:\Program Files (x86)\Roblox\Versions\version-8764cc9c84a5459a\content\textures\ui\ResetIcon.png RobloxPlayerLauncher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerLauncher.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerLauncher.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio RobloxPlayerLauncher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" RobloxPlayerLauncher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe" RobloxPlayerLauncher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1" RobloxPlayerLauncher.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 RobloxPlayerLauncher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 RobloxPlayerLauncher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 RobloxPlayerLauncher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 RobloxPlayerLauncher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd RobloxPlayerLauncher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 RobloxPlayerLauncher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RobloxPlayerLauncher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd RobloxPlayerLauncher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A RobloxPlayerLauncher.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1472 RobloxPlayerLauncher.exe 1472 RobloxPlayerLauncher.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1300 wrote to memory of 2984 1300 RobloxPlayerLauncher.exe 28 PID 1300 wrote to memory of 2984 1300 RobloxPlayerLauncher.exe 28 PID 1300 wrote to memory of 2984 1300 RobloxPlayerLauncher.exe 28 PID 1300 wrote to memory of 2984 1300 RobloxPlayerLauncher.exe 28 PID 1300 wrote to memory of 2984 1300 RobloxPlayerLauncher.exe 28 PID 1300 wrote to memory of 2984 1300 RobloxPlayerLauncher.exe 28 PID 1300 wrote to memory of 2984 1300 RobloxPlayerLauncher.exe 28 PID 1300 wrote to memory of 1472 1300 RobloxPlayerLauncher.exe 30 PID 1300 wrote to memory of 1472 1300 RobloxPlayerLauncher.exe 30 PID 1300 wrote to memory of 1472 1300 RobloxPlayerLauncher.exe 30 PID 1300 wrote to memory of 1472 1300 RobloxPlayerLauncher.exe 30 PID 1300 wrote to memory of 1472 1300 RobloxPlayerLauncher.exe 30 PID 1300 wrote to memory of 1472 1300 RobloxPlayerLauncher.exe 30 PID 1300 wrote to memory of 1472 1300 RobloxPlayerLauncher.exe 30 PID 1472 wrote to memory of 2892 1472 RobloxPlayerLauncher.exe 31 PID 1472 wrote to memory of 2892 1472 RobloxPlayerLauncher.exe 31 PID 1472 wrote to memory of 2892 1472 RobloxPlayerLauncher.exe 31 PID 1472 wrote to memory of 2892 1472 RobloxPlayerLauncher.exe 31 PID 1472 wrote to memory of 2892 1472 RobloxPlayerLauncher.exe 31 PID 1472 wrote to memory of 2892 1472 RobloxPlayerLauncher.exe 31 PID 1472 wrote to memory of 2892 1472 RobloxPlayerLauncher.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exeC:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=3539e67194ee6ba0c99d6e96abe3b09d611a4794 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5f4,0x5f8,0x5fc,0x5c8,0x604,0x698c44,0x698c54,0x698c642⤵
- Modifies system certificate store
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\RBX-D6082C09\RobloxPlayerLauncher.exe"C:\Users\Admin\AppData\Local\Temp\RBX-D6082C09\RobloxPlayerLauncher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\RBX-D6082C09\RobloxPlayerLauncher.exeC:\Users\Admin\AppData\Local\Temp\RBX-D6082C09\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=60fbaa906b1f866e4f443e8242ad94e1319ed1ef --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5b8,0x5bc,0x5c0,0x594,0x5d0,0x15fdec8,0x15fded8,0x15fdee83⤵
- Executes dropped EXE
PID:2892
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5ae62ef723642e510c8b4947b4282ab7b
SHA181077adc6aa8bec313449ba3f6a9ace7215686b0
SHA256f99809b75bf1c380dc7b84c64fcf91e450e3d1658a0b4697691655bd242d9a23
SHA512ba7a35557269abdc921e2f0180577ef30bea4a3379bca47f97a331ad0aaa14214c0f8665a696615f82b00ea6b31d07fabfc802af5606e9238b15b430a9d3f358
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize2KB
MD54bde18d2f5b811fed86d03d6adc8286e
SHA163b6992b87267f42e1ce495db1fe41f0217db09c
SHA256213737f3914c8d8ab9addf3452701855be5f6ac138ed962b29f16c5f250977fb
SHA5124734ae474878ced5b76b998bf25f73eacf4a417443506e5e89bd05e4f847911dfdca56462270fd3a2c7e97f45bec210ae5347c722bf4d1ba682e2fae84496ca2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize1KB
MD53cba3b57f5faeaac18f660bdf00f7c25
SHA121104b4abf6134c895f1f6d8148496e18724fd2c
SHA256391b2b7685c0962929b65eb56682acc677f4ed5d093333f8e45d3e499bd820b9
SHA512e910a1fa6add17de6344dec2e106a224869e78a75ca50fed99b5f502847f52f7bc790b8a2d3a56f56ccf03abcba5715fe20c284cddb1a78382c48bf790902e64
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD50edd390a9ee9f40e466c803a9b62ea8a
SHA1614a61309859badbae8df3fd3cfda54762e2cae8
SHA256c3fd50b460eda0bdb628a07078dc6902f9b5446216e12b900015e46f7306563b
SHA512277b4bd3bb8823936d18fb9efb12261e579d1ba454a56285ff8160739656f7c8af3fb42ae9e8986290d8de055e0bc65c81fc5296afe36a8bb716858d6fd8b51a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD5cb5c1b37e863532e1725fcc3a1e0d41a
SHA1687e809d67ab00d0186dbc94f32360b63337cf0b
SHA256947cd125806704ac752b9d72cb6ea5af1f5c689c38c59e7c537445514d29540b
SHA51234d428d756784c117b99617f9746c8ba5afe300170487334804b062e6452cffdfb0430074a6dd935c1611f3bceaf8a5ff37d72affede65a0b9ffa3d5e422f98a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize2KB
MD5074540d391479062c54a478d16da061f
SHA1ba64224663e926ecae58b176761781d8054a20ca
SHA25611c087265ef3d54c00d7c6f52b8024be61ce244360cff0f6498ec9b3c2f263ae
SHA512acf7a0911930cb02ddb398576f8a5ba2e69f6560e0c9cf55d152506910444b97bab47878658f325b3c52310e0ad235392141f7884beb673e091b272a60c0d9dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize1KB
MD50f3734364fd6107c3897385bc7d689c8
SHA1f4ec874e00d858d7aecf101a53de3309013ecc0c
SHA2567f172daab6977a3636f0ae6d7e2cceb88429b293d3ccec22e556c003466938bb
SHA51282f855cc3b28beced973dc5fe0e7190cbb5d5d399f9093cc9f4b63bff4becc502410f063fa3f98ca82010b4a6ba529629fca59b8995d91793df52df18586898c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize488B
MD5ca6271ea1f2b3d9441a1b8b1c2ed15cb
SHA1295ccbca55db90571d70b6b7921a56959fcf1e1a
SHA256a4f5f3ba47ec3f583cce78d6569d29a0eee678e717e215a97b4e09e923336961
SHA51227933d9db461d1c3fbad1e81dc0a413daf825288a64838ac8c0948b16f9575bb300b162b7b2affd2cc036a18a91030ea841964204fba035fd9197cd819181f32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize488B
MD5a12215d224aa9a0bce0403a1e2d48d80
SHA146ffc513ed5a72b31a08b7b415664b6be0c88f1f
SHA25630ebf56b2e961c2c0337363f0417494c000e1e3d7c6290a10a58f270af3271b8
SHA512aecab16da7f48068a5aba1dbdd6a03dcdf9bdcf748455735cf043e11df591f5e5edbe9d769d23745acae4077eca9370d8bf9c90b08cf3f97a0098d5588d811a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize434B
MD5caa69afc60129f8e6daf61f469ce54ec
SHA1e55c75d0a4c564531ad16ff030758b630fd26a2f
SHA25665759e50035df226452e6340b6d99aca1ea337bccafb3c6fafa13352f512f538
SHA51215466aad605c96c77ff22d3fb7613fcf46c644142c6bb782aa2f1fd8d30fd02e89a142522b37190de37a0ceca9d01f8e1bf6d5496ca0bcb22d873893eb7a81a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5928e9ebda5fd2053a6ac3dec2c70c7bd
SHA1d2eedd1f6c82754f44aac8d30dbb76d883983ae6
SHA2562d3b391de9acae0cfd0aaf5ffca2063510ff446c28c416c5b1c7726910372a2f
SHA51204f8b4d38ed13fd07dff3d3297db52ade41644224279353d3f595d70ca9901891742015ab59da28496a9794c8c692d4c5b1085fde187e25dee9cd56c8a758538
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50a650b9a7eb400415b4aeea95c4f1616
SHA1f96ed9d3f85059ba8a705d1d3aaa8533bf89bdd1
SHA256aa51ce0b1f4975e1b3fd8a8d9e3e2f6d26ca13cf41f5a664a59b667320527d95
SHA5123ac037c7310f15c2e74b72902553977bbbb17a91f9364dc892b7bbb61859475184897294f6ed089a39565229a5efa8a8c39c99892fc1856e2f2fc1457d6fa1a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54861f5b15da00b14d0cb24de3412043b
SHA1872431aaea8fcb19f5875a6981910e4cfad9cc11
SHA256059116d00a282e0e08a45c5b9d0e7f3aa233c5c3762867c234e7ffc57a35f5af
SHA512a84e8de8a8b4bda5791a3430f82f7932c2cc912e70fd7e6f8d69a3500bee84a5ee400c8517d2594c0897324b9bf7f560eb024604bdb5ff31234362ba30bfc8ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53c8ce547c83881ae2e561a11a3d1b312
SHA1f49e60d74cd540945ed082ead44d8418228cf04f
SHA2568f3c47d530d44f38ec120f5e2b3a64a918f44618767d451a6dc128f9d72e8a66
SHA51214ac03124cdd10d4dc42c6a54b1f4ecef6bbe2621380a9ee3a81b0bea55bcfbd847be8a7eb7ec9e4f56f500301303dc9d437654d3b97a084e2e1272052a4c38d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD557ca23294ea674cfac521f7373aeb8a3
SHA124b9fb53eddac6fa066c99566cebc14650a2ab63
SHA256e1f9a1aa937f0fd171594b9dbd8a7c27e74ff2857bc4f451a5b201d06cebe003
SHA5127cb39fd62014298388a49a3a0ea1c9201959ce271ec82c7e83b21af44ee1fe15edaa8716a533374b6109d1955290b63c6a24d178a6357beca6a5cc4b790dd139
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eec48af455f6ec0304a013e39d7d93e6
SHA1db2da8d3a4e48ef746f09d9a385234b42b8cacfa
SHA2562394da05f88ecab252e634cd19a9639e453df1167c1dbe55f40fb28b9752f938
SHA5121c14a829c3f9290a0252940bc8f595fefb8d7eab056502cfed95c6ce245c8b6e2747d61282a08b8b8586c791e8810a8a1c0c2c02b26406c5417e142e884de596
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD534e761af91cdeb5b545d210b632bc02d
SHA126bfd3755e129a24b228da00029004e944c7381d
SHA256ff4ab888c446f1960a049d7d58ca8984d040bdc52f463928e1129a96c93f5225
SHA512fcf95afd513b678b33599c350e2a3eb8e8507daf654e2dfea219334fb2157e5c53c5eb5968c7e16ea5db7138852552c97967a85ec43fe03476024553e2f7797f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5d59087cb5953a2284316dcc9682563fc
SHA1c481d64d184de18444dbc9968b9149c3e60f1de0
SHA256477522b7844f4649dd615db4c6205a7d757b681a38cc555b3b11f54b870541e6
SHA51259a585b3e62971aba8204c8771316d41ef3fd836aca1589554c0a0d4d54b08f034a543a629549cb5b1d78a8dcb24fcf21463315b214a0c08e8a953ea0b4e4e11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5aa983455606cafe78b1bb79d875066e7
SHA1190513f2ac18d44daa361d5fa406268bd1fda6af
SHA2568ea9dbc9227b4f06644ff786e42b25a091b50ac73c422e0eb9ba6b13b0fc5c5b
SHA512698d2904fa96df50b87cec02f406fe43e2c048cfb220484a5d6940e5f8ce8022f49287047aa6670160042a002044e5858344bedbc1aeec0c8ceb21013d8d93cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD54b794c0088725de4362c65d884cb01ba
SHA106741eba5210f4dde36bdcce88db09c53821b77b
SHA256a19c5cefb2ed7437ab61148f46d7c704dfeebfa1dd988229a9ab0450cba39fe6
SHA5126069c10cd7635e90febcef8c8f00e6ca70bae927c04a14d800a46face8dba288719197a8b3be63929984091c8608006a04a5ecc624441ea5d87669367b3577d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD573a3bd62102d1fb2a02460b50d637c94
SHA1eb4b84d70ab299812b3b6c8ca65ea9b19acd7471
SHA256a6e2bb47920cd3853f052e48ab67ea1830156123aa84ab3f22f467a7f5f36395
SHA5123e08f3fb965a01384a5b3a481878b13e3a6a7b746807c66a245292864046ec47e5fcc53b438544f930c52620df7436feb8f901d15900fba7b3149f248f929a06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize432B
MD5d5ba0623b36b5d1050f9ff3da64983cb
SHA17be9b5aba84322a9c3b7d9ef3dbfcc6ea74fbf96
SHA256ce80ce96a335d89024fe6ad74214693cc16f334db0a65bf5c3be4f2706e11721
SHA51251764a3792b2c675ab1b6148bc7421fe966baceb0bb7723c0c40029ae6ec595f0b2537c20d263a8b58d49911638d57ead731133cf17fe17e10036efac16b2a02
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\WindowsPlayer[1].json
Filesize119B
MD57a4f61c16994714c7d10abd10576f64d
SHA151a9595244bf96fcbef153cde2606d9cd4762384
SHA256ef0f0903449e72b1bb72ad78f8a313b43863736996f08934f433f27c7c3672af
SHA5124988214e504492db493af674dc07bdaad0e41fe780129a3669524dd9474a383f74bd30742cc6b8bd02fdd1dc247a5cdcfd4b8e2f307a5465378d6252c8bff862
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\PCClientBootstrapper[1].json
Filesize6KB
MD5cba4e37d2b13f0efe66a96453122d494
SHA1a68d460683eea5ef3cd5c0003bbb46354652f7f0
SHA256614dc46ab69f5f07992be9e4df35228d39ca43423fa2e52767822c3d0572fc05
SHA512ee1cecfe66642e203b1f5e0e29e95631c628b5231d04097f82c8377ee622bbf710a1c492700f997a4c47a508007073307458748b4513816d95b475a77cc916b1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\BatchIncrement[1].json
Filesize163B
MD5bedbf7d7d69748886e9b48f45c75fbbe
SHA1aa0789d89bfbd44ca1bffe83851af95b6afb012c
SHA256b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61
SHA5127dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\version-8764cc9c84a5459a-rbxPkgManifest[1].txt
Filesize1KB
MD51c7b214e4eca77fde043a5e29bcfb295
SHA1260a3512f06fe20b5838895fec47883efae9f758
SHA2563f3ac87c23d98322c7a3faa1a9fad14da9562aacabd06daef9e6960ae9e23b94
SHA51256226c74cff52bcaad4665dbae01ac1d0be55fdd0fed457544b46fab07100bd7d35955fe0e8f526188a09fb67ab10469f01761df30a60c22f2722c607be3a658
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
40B
MD5464e6838abe376ed3311904f0bd7a1c9
SHA1e1c62671b7ac304029254d1686c36d4650bca6e1
SHA256684f27b8768561956c36bd78ed8caaf11b4719b18cd466fd289841ce0b02d4d9
SHA512eb282bc5e7f95fc5b2b41b03c9ae37ce4c9aba3295f38651c7c33df028dd9ec36ab5fd4831285d6a53f28f71bd70c05cc0ac06d669e5d2000c502f585e44bf00
-
Filesize
5.6MB
MD5f54b7571f1901e471133d4723140048a
SHA11076f97284ecb4e0b53be62af0c8de7bcef507f1
SHA25632182938735b51764cb2b4f788a5ee316fbd56581aecb9698a77470981392b71
SHA512df79b7b13d24e9f3c2fb8b62c58eb06e69f0dff88ecfe57190df1118f0c4e800dee7e6f10db41140c42bbf689405ba2a44f37521ba30679c866c195ef9732b2f