f906d27dcb0e9b5a72b2ccc6b7bf04050dd3289a3671596592d34b90d4d8d8a7

Analysis

max time kernel
1157s
max time network
1141s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
12/07/2024, 17:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Thunder Roblox External.exe
Size

2.1MB
MD5

727523ed91c9906f744e40cdaff8006f
SHA1

9c591b76dddf202f9e76fcff12855df6bb542590
SHA256

f906d27dcb0e9b5a72b2ccc6b7bf04050dd3289a3671596592d34b90d4d8d8a7
SHA512

da20084614d10ead759cbc47fe23be9f2a22c55d108a23c90784e554d9d09baced16752234194e70b5e1cec1e81e9c5ca2985adecd517d07ae7371b439b24402
SSDEEP

49152:qAsP1Pef97b7b7b6TSjuAHwqBngSb7j0vVZHRKttY+z+cPaL1dxhnQcmYD:EeaAQqcZxKttYNcPaL1ZnF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
3872	Bloxstrap-v2.7.0.exe
6988	RobloxPlayerBeta.exe
9160	Bloxstrap.exe
6156	RobloxPlayerBeta.exe
3120	Bloxstrap.exe
1996	RobloxPlayerBeta.exe
5736	Bloxstrap.exe
6360	Bloxstrap.exe
6520	RobloxPlayerBeta.exe

Loads dropped DLL 4 IoCs

pid	Process
6988	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
55	camo.githubusercontent.com
56	camo.githubusercontent.com
57	camo.githubusercontent.com
58	camo.githubusercontent.com
59	camo.githubusercontent.com
60	camo.githubusercontent.com
22	camo.githubusercontent.com

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

pid	Process
6988	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652805390757010"	chrome.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\URL Protocol	Bloxstrap-v2.7.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\URL Protocol	Bloxstrap-v2.7.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.7.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\shell\open\command	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\shell	Bloxstrap-v2.7.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.7.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox	Bloxstrap-v2.7.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap-v2.7.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\shell	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\shell\open	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\DefaultIcon	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\shell\open	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\DefaultIcon	Bloxstrap-v2.7.0.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\shell\open\command	Bloxstrap-v2.7.0.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RobloxPlayerBeta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	RobloxPlayerBeta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	RobloxPlayerBeta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RobloxPlayerBeta.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.7.0.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:Zone.Identifier:$DATA	Bloxstrap-v2.7.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	chrome.exe
2060	chrome.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
6988	RobloxPlayerBeta.exe
6988	RobloxPlayerBeta.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
9160	Bloxstrap.exe
6156	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
3872	Bloxstrap-v2.7.0.exe
2060	chrome.exe
9160	Bloxstrap.exe
3120	Bloxstrap.exe
6360	Bloxstrap.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
3872	Bloxstrap-v2.7.0.exe
9160	Bloxstrap.exe
3120	Bloxstrap.exe
6360	Bloxstrap.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
6988	RobloxPlayerBeta.exe
6156	RobloxPlayerBeta.exe
1996	RobloxPlayerBeta.exe
6520	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2892	2060	chrome.exe	95
PID 2060 wrote to memory of 2892	2060	chrome.exe	95
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 1044	2060	chrome.exe	96
PID 2060 wrote to memory of 5040	2060	chrome.exe	97
PID 2060 wrote to memory of 5040	2060	chrome.exe	97
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98
PID 2060 wrote to memory of 4620	2060	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe
"C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe"
1⤵
PID:936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe
"C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe"
1⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe
"C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe"
1⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa533fcc40,0x7ffa533fcc4c,0x7ffa533fcc58
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4364,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3776,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4084 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4908,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5096,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3336,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5384,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5392,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5200,i,4925840129566583120,6023361645571075831,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - NTFS ADS
  PID:440
- C:\Users\Admin\Downloads\Bloxstrap-v2.7.0.exe
  "C:\Users\Admin\Downloads\Bloxstrap-v2.7.0.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3872
- - C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe
    "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe" --app -channel production
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:6988

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3480

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:9160
- C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe
  "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe" --app -channel production
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:6156

C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe
"C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe"
1⤵
PID:4432

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3120
- C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe
  "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe" --app -channel production
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1996

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe" -menu
1⤵
- Executes dropped EXE
PID:5736

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6360
- C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe
  "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe" --app -channel production
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of UnmapMainImage
  PID:6520

C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe
"C:\Users\Admin\AppData\Local\Temp\Thunder Roblox External.exe"
1⤵
PID:8096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.json

Filesize
79B

MD5
eab6dcc312473d43c2fa8cc41280d79c

SHA1
b4e9ec7e579d06dfcaa5ac616de2751308a153c3

SHA256
0a27d3c9100ab7ab6f03c45daeb0f0cd586f3aeb59daf7986e853f9614e954fe

SHA512
1ce0fdc237110d644bcc8238f184554f25813ccf7142fd312ce96fbb6659081db677b04485bf66d52100136da6bb9688e48b1287455725c7b4950153aa2a4595

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Settings.json

Filesize
715B

MD5
008f6b65dc7706c89b18c530c547f96d

SHA1
7d74166addacbfb8703dc219c1ed6153b2413606

SHA256
6a49a9c85cb8cfa613e48c53bc65027caad71ab43b049f388b2bb79b0b32ba5f

SHA512
36bb80d61e408617f7c51e46be893a443f9cf896784fa2f054e45242330c77052a9fa7fcced1aa0ba0fca70df1c6289c3300d198e0f7ec2bf1aa6eee515c71ee

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\State.json

Filesize
269B

MD5
61a31f53cd21688f13b48757ebf75bc1

SHA1
2e38af00c1301447d52ea4786f302e44a6991b51

SHA256
a067f2969797035e3a0d702684e05a32a553453798905ba52f872a91f89ab487

SHA512
adf620cab934f4e1c4c5138e25ff00f9b1b4ff5eb12d6c15658b22446baac5ae4f426358fd845d7c63b126de669de2517d88bd34356c41a04687aec9ef37b7be

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.dll

Filesize
17.1MB

MD5
fe218ed45bed27806337dadd0f0aac4a

SHA1
d6a4bcf44d15273814890d145770c946801324c0

SHA256
756ae7f2662fd4caedf8ee1bc8a7add049ab5e000605a8795e2b832977d43d42

SHA512
cb85ee4af06c62a06abacbf9cc0b9b638b86bd5915193d71ac991cd0bfb2bc3c5483363383648d3c71387b6eb6182ff8c82983e7dbff0202914d0352bf517361

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\content\sounds\ouch.ogg

Filesize
6KB

MD5
9404c52d6f311da02d65d4320bfebb59

SHA1
0b5b5c2e7c631894953d5828fec06bdf6adba55f

SHA256
c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317

SHA512
22aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e815f8591479a4579cc46334f7e66388

SHA1
08e807d95a87633bbb8b801b307096a94d5d64a3

SHA256
d2f2a753f0543ac9e61bf599d28d82377ba86c80f5d0f454e28ed19d027e2417

SHA512
5b6630d04ada9d1b65c92b9d82443e5cc72a53b7b966655d5ac0121611b089c2058a5bf86334872b4226bf10c53450f99b6d7cc871573eb3c9166fdf19cd3e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
e211a6b3f9b390e3bba8142bc475dde1

SHA1
2124024c282bea401f1cf2c4fd7d9b07c77a0c11

SHA256
0bda14f443d798c5573f4f47096749e3f5a0db5e48dd2f9b778b4b62edeb68d1

SHA512
e591bffedee85f325aa717d9cc9767a57da5854d16c4b0a948721676e6e9331200b8160c5f575353cc5694aa471097eb158481620eff849508df00cba4114386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b26661bd26da214ff6633ebdbeb3d09c

SHA1
a0eac503fe6014f03788823cdea8b8a5001ff300

SHA256
3e9ede8d71d730698da8c4e995f4ef105fbf7112bf02f77e10d5833a19d431a9

SHA512
0de12a849d1e2ac72ea651023a4010e479ce37ffdc8514120075931767e0e903af2db9e4d0729e36926d340f879988096d575db0945220fbe4a455f5bce96609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4459dd13c7e976b240d37164a2d88e9b

SHA1
c59bdf9d9d8bc361ecae564feeef1688ea36db84

SHA256
c3a50454f355a6d6b92d7e019c361e9cde16b1e7a3c7341ac9a609ed9382456a

SHA512
69aaf69db4d345cdfb5f3692ca8dd2a1e2ec5d9c948c00ed50b444b6422604ef4f43e3abcceb768041437a7d54040feb669a951bdf3fbbfd08aded3c17388160

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5f8fe2e468f05fe28f713a121e7561e4

SHA1
d271965d09178b679bf38c875978bf5d2459e050

SHA256
eae477469433bbdc6ac75fc3d61c6f63de0f15ceaeb5ddcc333d600080300dfc

SHA512
b577f7530fa95129fbf221a983264c584388119e83ddf8fcd9e335ab889986fee17fed40a4bbd2ca24efd44a3dfdcc7d1d9d13f3c76ec6ad91c2d4754c817fad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dbf844fbcbd57a5437ebd2394d9e0485

SHA1
da6df88dcaf3bc0b2e4caa539d7fc040747641b9

SHA256
b0170325477199054e780d189794a19f7bf848a600cf124fe89120d618f4e970

SHA512
1dbe94bae319214a2314d9a95a20bd1cf242be0c047f02447e99e6eabce60b2cf3f271cf21d47543b5a892d48c1226bbb82486ddfd22e7ad895eee1543442710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48959a282eee370d7ef373728827148d

SHA1
7844b9c3d4211bd30ef0c9f0dd243b34cd1c7ca8

SHA256
b849fffeedc6bdf30c5a8028eac24c506267f62a2aefd02686bdd7845a543b80

SHA512
ea8692b17ca8c8b3bad916e0cd65175496d18d7a57fcba2487136aa814a18ae1981408b945067ef42db5916261e36d934356351dea5d4417d0cedd9f07a01315

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
24de3ba3c8e5f21ca28288999b559e1a

SHA1
c7d62bffc0f0d4da2ae01c269ff0e03dad623a7f

SHA256
fec0b8dd8d0e04c2533fe483f81048c2588ddabeb205dd3faf899d31450391ac

SHA512
feafe0d8117dbd14ed2fc2651c412e018468909673293317ce5547327f21b53eb71956b13f950c2acdaa766537e180c37518cf981d4d7e78872705767f8bc3c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eccba1c4627a02bf8ed3ed1ccb0ac0c4

SHA1
6222ff9ba2bd2c8c20e57b1bb87992f3233a9ce8

SHA256
5ad5de1e78c6b55dad09c10359f297d0f61290d15d539071bf8526232aa9ca7d

SHA512
150125bcba49b0047421f3b312396219f095d3490d42fc6ee35678fef1ca398f7acf0391a6446fd182b6ac773eb5b4d4f58a3005d8c7e5cf8bae94fd4cb9ca2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2848820f3a1091d25eaa40151eaf98e7

SHA1
fb6730eb6d7bcb8b819292507e64e6a1d8ff7ba1

SHA256
8076e8e3cdd09d88a369001cae92cdfcc28c236dccb87d37f59f171e33690be4

SHA512
4db3c5e50e88076e0fa09ffaa3ddf4b43a2627acf96826261b2fb6cc10e07c9d8fb57eba92e925d7d381caa05e7a8b894bd1fe3c3dd55683dea19bc558d90684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0ef8c49ba165ce61a93c227452666607

SHA1
e79765c57db08baecd91e065758a2ede91fb3d36

SHA256
439696a5c3b6504511f248ccdec21995887bfe855258cb949c965eebfe72cec6

SHA512
93880cc1eb04b7bffe19273d4a1892b34d537709139af85cddc690495cc390f846602408c4a979812ddf3c60cf0892baf3363fdecf42aebd17a883c325caf528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3c9fed39ea385135590ed4948470a5b9

SHA1
26341fc55fb8326fd01dc0158ecc0230fe724e3d

SHA256
5302dffa30f021a20962016cfd73c4ea29d729f1ca7fa9a1a840c07731bb46f7

SHA512
14f33507d5070b6630d6fcddd92677d6b789336f626645a332ec78f20708eb4081bac07fbd5ffab51795ca60a99796893b275a414160d8c6a851c98ecd45eac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5c4461063f58a1a6082f349bb70cfd68

SHA1
ccc0f59794837b199e26ca4eed290e555af38305

SHA256
6bd84067f14a74cd2cc60e4801fa862f60bb75f5bcac6ccc0376a610f5527b63

SHA512
0fe459ef66fb96b8d299c600c1e71b5ad8488d7504adacbbcddd785341c1b1e5e98a556082d266147861c299557df15e78c9e09df134f040e28173d0cc06cec8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d5723faed2731b36c5890dc0634e937b

SHA1
bd018217a7bcd98ab1f16f0a638de00a80b19e57

SHA256
93ba3725411d5b6f930bc997628b65c38620a8ae33d1e9c43967070f17582f4d

SHA512
11079ab7aac6e1ec2c287df55c810af4069070f85c94981453c191e25b595156f256067c3878b5a884b501e638df50d51aa0ee766976410271fb7bbeaf174050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a82777e0-94ed-47c0-b313-ff2debf28b60.tmp

Filesize
8KB

MD5
c36614c87d8f508c20d2066f4ca90c1f

SHA1
43ac94fc90aa1cfd66408fa0714205551ab09742

SHA256
69b769d8082788d5a915345c72eb6e6656728b986dfb96bf5fc637cd375cfbcf

SHA512
6ca2e3738b467d947289b4aac21710478d9ce938409330713c2f0a4dae0f337357e7f14f111ba23338aaf832fa6d738436b67a5535201d3bbbbf5ab7ae184d4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
cfe71b4b919780eaa37ef9d3ca54667c

SHA1
c858f4f4fffb58e315e6912fabd48a3511838aca

SHA256
aa2e03ee94bffe7be5c6ec50b0f9ab5f61b755c480098f8fbe718fa2d84d2b1d

SHA512
c332ca7e8458216a895a0d83afcfa9a55233b59033363f65fc485c74915c544ef80d4833f6660da76ebdeec2ef9e6a2e209048071ff49c3648c7ddcbcffc4a66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
1969ffa5117fd29c0ab24faae0a262ce

SHA1
39913f02430a954d12a0cf17036ad6cb16fc0ebe

SHA256
66c03e161e9f27167ba0f6bd6fb40ce2ef70fdfcb6c54b8f459637070ba30fbd

SHA512
d73e5f6abec6c56c1a0249cdfac3d2cc107f27345a6bfdb6605f45ed7bdb21eb3f4260e9fe45893f0c1ef599c51b8acec07af10081a52184112c0c36d005e104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
b4850d3bd0e65311639c2fd933fb2eff

SHA1
b1fbf54fc7308a1914d381e223589618a3a3bf07

SHA256
67b7d0272137c479e09f2ba118031ceef893df39a64a08117ca67f7340bf365c

SHA512
fe707d9284be72ba4220fe300d7788d1f13333518bef762df03bcdb1b187b5d1a94f591870cb7344528e2d0b659ea7763f625222e0e40225b92f196b28078f19

Download Submit
C:\Users\Admin\Downloads\Bloxstrap-v2.7.0.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 873754.crdownload

Filesize
10.1MB

MD5
2c752edef5b0aa0962a3e01c4c82a2fa

SHA1
9c3afd1c63f2b0dbdc2dc487709471222d2cb81e

SHA256
891846bf656253ca1cdd28584a28681e9604e2a03d74cd6b99313e3bff11daf8

SHA512
04d25fe7d40c8c320ffc545a038ad6ea458df6a8a552b0e0393b369a03b9bf273c72f30169bd54e8eb10757c04bdddf3859c601c1eb9e1a12fe4d15658906dfe

Download Submit
memory/6988-3938-0x00007FFA719B0000-0x00007FFA719D6000-memory.dmp

Filesize
152KB

Download
memory/6988-3924-0x00007FFA72540000-0x00007FFA72549000-memory.dmp

Filesize
36KB

Download
memory/6988-3885-0x00007FFA73CB0000-0x00007FFA73CE0000-memory.dmp

Filesize
192KB

Download
memory/6988-3884-0x00007FFA73CB0000-0x00007FFA73CE0000-memory.dmp

Filesize
192KB

Download
memory/6988-3890-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/6988-3896-0x00007FFA721C0000-0x00007FFA721E0000-memory.dmp

Filesize
128KB

Download
memory/6988-3899-0x00007FFA722B0000-0x00007FFA722BC000-memory.dmp

Filesize
48KB

Download
memory/6988-3897-0x00007FFA721C0000-0x00007FFA721E0000-memory.dmp

Filesize
128KB

Download
memory/6988-3895-0x00007FFA721C0000-0x00007FFA721E0000-memory.dmp

Filesize
128KB

Download
memory/6988-3909-0x00007FFA716E0000-0x00007FFA716F0000-memory.dmp

Filesize
64KB

Download
memory/6988-3908-0x00007FFA716E0000-0x00007FFA716F0000-memory.dmp

Filesize
64KB

Download
memory/6988-3918-0x00007FFA72510000-0x00007FFA7251D000-memory.dmp

Filesize
52KB

Download
memory/6988-3926-0x00007FFA72540000-0x00007FFA72549000-memory.dmp

Filesize
36KB

Download
memory/6988-3943-0x00007FFA73CB0000-0x00007FFA73CE0000-memory.dmp

Filesize
192KB

Download
memory/6988-3942-0x00007FFA73CB0000-0x00007FFA73CE0000-memory.dmp

Filesize
192KB

Download
memory/6988-3941-0x00007FFA73B30000-0x00007FFA73B31000-memory.dmp

Filesize
4KB

Download
memory/6988-3940-0x00007FFA719B0000-0x00007FFA719D6000-memory.dmp

Filesize
152KB

Download
memory/6988-3939-0x00007FFA719B0000-0x00007FFA719D6000-memory.dmp

Filesize
152KB

Download
memory/6988-3887-0x00007FFA73CB0000-0x00007FFA73CE0000-memory.dmp

Filesize
192KB

Download
memory/6988-3937-0x00007FFA719B0000-0x00007FFA719D6000-memory.dmp

Filesize
152KB

Download
memory/6988-3936-0x00007FFA719B0000-0x00007FFA719D6000-memory.dmp

Filesize
152KB

Download
memory/6988-3935-0x00007FFA71980000-0x00007FFA719A0000-memory.dmp

Filesize
128KB

Download
memory/6988-3934-0x00007FFA71980000-0x00007FFA719A0000-memory.dmp

Filesize
128KB

Download
memory/6988-3933-0x00007FFA71980000-0x00007FFA719A0000-memory.dmp

Filesize
128KB

Download
memory/6988-3932-0x00007FFA71980000-0x00007FFA719A0000-memory.dmp

Filesize
128KB

Download
memory/6988-3931-0x00007FFA71980000-0x00007FFA719A0000-memory.dmp

Filesize
128KB

Download
memory/6988-3930-0x00007FFA71950000-0x00007FFA71960000-memory.dmp

Filesize
64KB

Download
memory/6988-3929-0x00007FFA71950000-0x00007FFA71960000-memory.dmp

Filesize
64KB

Download
memory/6988-3928-0x00007FFA71840000-0x00007FFA71850000-memory.dmp

Filesize
64KB

Download
memory/6988-3927-0x00007FFA71840000-0x00007FFA71850000-memory.dmp

Filesize
64KB

Download
memory/6988-3925-0x00007FFA72540000-0x00007FFA72549000-memory.dmp

Filesize
36KB

Download
memory/6988-3886-0x00007FFA73CB0000-0x00007FFA73CE0000-memory.dmp

Filesize
192KB

Download
memory/6988-3923-0x00007FFA72540000-0x00007FFA72549000-memory.dmp

Filesize
36KB

Download
memory/6988-3922-0x00007FFA72540000-0x00007FFA72549000-memory.dmp

Filesize
36KB

Download
memory/6988-3921-0x00007FFA72520000-0x00007FFA72530000-memory.dmp

Filesize
64KB

Download
memory/6988-3920-0x00007FFA72520000-0x00007FFA72530000-memory.dmp

Filesize
64KB

Download
memory/6988-3919-0x00007FFA72520000-0x00007FFA72530000-memory.dmp

Filesize
64KB

Download
memory/6988-3917-0x00007FFA72510000-0x00007FFA7251D000-memory.dmp

Filesize
52KB

Download
memory/6988-3916-0x00007FFA72510000-0x00007FFA7251D000-memory.dmp

Filesize
52KB

Download
memory/6988-3915-0x00007FFA72510000-0x00007FFA7251D000-memory.dmp

Filesize
52KB

Download
memory/6988-3914-0x00007FFA72510000-0x00007FFA7251D000-memory.dmp

Filesize
52KB

Download
memory/6988-3913-0x00007FFA724D0000-0x00007FFA724E0000-memory.dmp

Filesize
64KB

Download
memory/6988-3912-0x00007FFA724D0000-0x00007FFA724E0000-memory.dmp

Filesize
64KB

Download
memory/6988-3911-0x00007FFA72460000-0x00007FFA72470000-memory.dmp

Filesize
64KB

Download
memory/6988-3910-0x00007FFA72460000-0x00007FFA72470000-memory.dmp

Filesize
64KB

Download
memory/6988-3907-0x00007FFA716E0000-0x00007FFA716F0000-memory.dmp

Filesize
64KB

Download
memory/6988-3906-0x00007FFA716C0000-0x00007FFA716D0000-memory.dmp

Filesize
64KB

Download
memory/6988-3905-0x00007FFA716C0000-0x00007FFA716D0000-memory.dmp

Filesize
64KB

Download
memory/6988-3904-0x00007FFA716C0000-0x00007FFA716D0000-memory.dmp

Filesize
64KB

Download
memory/6988-3903-0x00007FFA71510000-0x00007FFA71520000-memory.dmp

Filesize
64KB

Download
memory/6988-3902-0x00007FFA71510000-0x00007FFA71520000-memory.dmp

Filesize
64KB

Download
memory/6988-3901-0x00007FFA713A0000-0x00007FFA713B0000-memory.dmp

Filesize
64KB

Download
memory/6988-3900-0x00007FFA713A0000-0x00007FFA713B0000-memory.dmp

Filesize
64KB

Download
memory/6988-3894-0x00007FFA721C0000-0x00007FFA721E0000-memory.dmp

Filesize
128KB

Download
memory/6988-3893-0x00007FFA721A0000-0x00007FFA721B0000-memory.dmp

Filesize
64KB

Download
memory/6988-3892-0x00007FFA721A0000-0x00007FFA721B0000-memory.dmp

Filesize
64KB

Download
memory/6988-3891-0x00007FFA72110000-0x00007FFA72120000-memory.dmp

Filesize
64KB

Download
memory/6988-3898-0x00007FFA721C0000-0x00007FFA721E0000-memory.dmp

Filesize
128KB

Download
memory/6988-3888-0x00007FFA73CB0000-0x00007FFA73CE0000-memory.dmp

Filesize
192KB

Download
memory/6988-3889-0x00007FFA73D40000-0x00007FFA73D49000-memory.dmp

Filesize
36KB

Download
memory/6988-3883-0x00007FFA73C60000-0x00007FFA73C70000-memory.dmp

Filesize
64KB

Download
memory/6988-3880-0x00007FFA73B40000-0x00007FFA73B50000-memory.dmp

Filesize
64KB

Download
memory/6988-3882-0x00007FFA73C60000-0x00007FFA73C70000-memory.dmp

Filesize
64KB

Download
memory/6988-3881-0x00007FFA73B40000-0x00007FFA73B50000-memory.dmp

Filesize
64KB

Download