hxxps://github[.]com/ic3w0lf22/Roblox-Account-Manager/releases/download/3[.]6[.]1/Roblox[.]Account[.]Manager[.]3[.]6[.]1[.]zip

Analysis

max time kernel
172s
max time network
172s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.6.1/Roblox.Account.Manager.3.6.1.zip

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2888	Auto Update.exe

Loads dropped DLL 1 IoCs

pid	Process
1656	Roblox Account Manager.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
41	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1656	Roblox Account Manager.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 804	1512	chrome.exe	30
PID 1512 wrote to memory of 804	1512	chrome.exe	30
PID 1512 wrote to memory of 804	1512	chrome.exe	30
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2664	1512	chrome.exe	32
PID 1512 wrote to memory of 2160	1512	chrome.exe	33
PID 1512 wrote to memory of 2160	1512	chrome.exe	33
PID 1512 wrote to memory of 2160	1512	chrome.exe	33
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34
PID 1512 wrote to memory of 2688	1512	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.6.1/Roblox.Account.Manager.3.6.1.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6bd9758,0x7fef6bd9768,0x7fef6bd9778
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:2
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1476 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1416 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2168 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1452 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:2
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3256 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3576 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3932 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3624 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 --field-trial-handle=1084,i,9625004377654453905,6852429786195750749,131072 /prefetch:8
  2⤵
  PID:2972

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2672

C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe
"C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe"
1⤵
PID:2804
- C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe
  "C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe" -restart
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1656
- - C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Auto Update.exe
    "C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Auto Update.exe" -update
    3⤵
    - Executes dropped EXE
    PID:2888

C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe
"C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe"
1⤵
PID:2868

C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe
"C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe"
1⤵
PID:2400

C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe
"C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe"
1⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b07ab27cda94db942db7d38ecbbf117

SHA1
7dde073e678547ff90be838653e953488fbe25c3

SHA256
81be5d247d5e0d3051a28867525378e947bd3f0b24e5cbb9705b691da9ae3324

SHA512
ff48a839edfd27dccd9e0c7a2b2da26439f07eedf31f5d7da4b8488d05cb7e350da9b9b226b6d9433c0e3f7f85c186363c6f4d831098a19afd2f8ff34b8b1f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e837a23831843cac329b983dcb3c12ec

SHA1
7f9fdb4b10d20de12c704e65306106c6dcd4bb36

SHA256
a74b3f1cc299a80f098665c2c48bde6315fb7f8711ae483c956489bacbc45a1e

SHA512
cb0c13ceff933e0dc571fe641fec61a2c3f75c12e45d71a80272fff6888606534a1897cf34a1ed1c7eb6d20b95b345e0fea166519a34119e5dcb2f4461b19083

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\59e43394-de87-4091-9c13-6c86263454bc.tmp

Filesize
155KB

MD5
4e960846596b98d0df039a53ddf22b35

SHA1
b4bc667d0f4d156b34f762c6ebfca2d8a2f827a3

SHA256
9ed74d19c82da26c314f8bc8401137dd61051ba8d1d7e82b5d69500cf8f05c35

SHA512
aee52666c902671c841326a9902200d38c987cb49eb6cecf7219cbcb0b09f36e06b2fa74a9d0ed536f33838154056a05fcf4a9a765975c66d1882d12363716e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
71f9c7935e7b3c5891fae28d58eeda28

SHA1
5f5b6b4678e819ec3d6a3a1ffeb16cad12e283c6

SHA256
7989777244aec7eec5166bf8db75304f4205d464e826c6f5e6bfcaffb9349868

SHA512
47176d342b596158cd732ff6c21fc47ce48947bf6dc4b7a0a9176b9e28adb4cc6759ab323be89aef8fa583a59c9d034500263a297716c0d8a41003d8ef719624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
16607ce09d6f6be25a88b7c7ca30bc11

SHA1
ac766c4f96ae4822a4f5245ca4b0d3d0f4d936d9

SHA256
27d9fb4f705ebd0f1edbd377d1acf2512043f17ff0595891bd184b9d79032373

SHA512
92f39696e5edc262ba17021f5c62c16e51bfe7d75f1daa9e8e580cc3bd9488b1a14d23be3cb0a78419b20b9b0a775a362f25f9fbd17e17c91b9a8dca66a502c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
efc1517344789282f98d0c34054fa528

SHA1
c64e4fd43703b343ef339d02f5b86e1c51e966a5

SHA256
71a312c581d4f6ae279266c030dfefbe73d0cace861e3a69d4faebf96288cd00

SHA512
69f9ca5fece362bfa30a68acd64024c03e3f4a4ea9d1fe70cbf10dc1edea5c0617f2517ad6a5b2486416b7a75a25e28399ad387576aff5c9bbb49ebb138e0e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3f17d48e2314296325bb231418d92b92

SHA1
93d725d276e5bff849cce943f9a29e2b698297f8

SHA256
633d9fde457aaeaf0996a31c087f56570108aabc8743a725dc1bda72daefb225

SHA512
41f109c339cecae51a36de5b5acdc44948a7cdba7a67ab74cabac27ba901ee22f8c81d735b182aaaff24912e0f452a812c8dd605784d6bc7de083a68ed4a6c99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
daf653f504f872755335f8aa71a1ca0f

SHA1
f68aee9fa8efa73a1c8411b8958ef778d822e12c

SHA256
8e63a0bb60de26695cf97774c593e58fdf5683e1c1ebdf14c9cd6a6beab974d3

SHA512
2c1d01eb73c02faec3da077145a9edd54a20f705c07e47cf9711f81048cb02d635952dea9d2a4c490fe5ccaca68b791d4785e43d3af18aeccacc94ca680a8ad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
677dbbb089425ac6cdf1733b18a5cdf8

SHA1
9176b86da8c773abd1dbd7fa0c4d5b8cf0def598

SHA256
9ae12038dbb8a2659ce149f3290e00916b40d76e7f64a351df28c1396ffa0725

SHA512
ad8e00d0835c7fe02183b4e7fb7d9c41a061a5a036db1aae84b4ab40b8bbfb3f866f85354b73a63b42b6b53629ddb14e9cff93c321e1abf67d2e01f282160b5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
82KB

MD5
565735418a787300bf11c5018e52de2c

SHA1
d254d4fa13b3e1b5169ded9c460ba08e8377d495

SHA256
98085df198dca2fb8f744254e083a418c9e44aabca73726a029f331c863499c9

SHA512
4ee101709ba2d9f0228cfdbcbf8f926363ab1b562d1788452dee7cc689314b4aab371c6c818e6a6ef4ed91217ec3021e8619be3254c03bdac393d5234b8b63c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA112.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA134.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Auto Update.exe

Filesize
5.2MB

MD5
a057fae0c8c97ee6cf2c12fb7bcf034d

SHA1
64fe0eb242b5c3f9c42f4f2c1685e4a36708e4f6

SHA256
cdb0a360cca7a5099c2d2357be1a833e032ffdeb3f467a6fac845f6bb77031c9

SHA512
447cf69cf39ef19d098f4ab223d6ad9d760efb1eabb1bb0dac27fd2e55ac14c5a6502f2edd00b199d2db702e38551065bcc087c8df931360e769443908a4d200

Download Submit
C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\RAMSettings.ini

Filesize
1KB

MD5
5369e83203a8972ee844ac973efd985a

SHA1
d91909ad9be3a67f66687a5cc58258fe2b715986

SHA256
fbbf21c6c6a3594b126ad1e48a06e315478022b6fa54ab0dc54b9ddaf30089ee

SHA512
af7fbb21b3ff7a32b34c72a303f380edda527a0f4273237f3c9a9f8804e83eb2bbbc1300135d094f64888227d72fdd832616dc2e18797398ad3df6db0d6b16f6

Download Submit
C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\Roblox Account Manager.exe.config

Filesize
5KB

MD5
7e067afe7c779870c370c40240e2ce1f

SHA1
71d59901ee26810c2b2cfdeca176cec9a54fdb48

SHA256
5e0ba1895cf088e6d6907b8abbd8cd41c86f39cc642351a9ab0bf458bf1f5b31

SHA512
7ae4e81cd7a06aca5c363e1009d898aa8b42236d6796c38a8ba07adb52eae45f69cd446d008a0e1d12c60c02a43bee1c813231d58884c6dd69a2967e243c9cc6

Download Submit
C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\log.txt

Filesize
1KB

MD5
17b66ec5a12414ec6596ae1c964c9133

SHA1
b9b464e3140b66cbce7d269f70b8114294b0b416

SHA256
18f7350acda53c0e8c5a4b37be4d70fa6b185794eaecaef2d42af8de79c27724

SHA512
5f7a4b01256463d7adc4641c1c09ce05488edbcb2a6f2a8e37c4c3ac9a8e80c54ff9c78922e399e3ab2201092eacaf4d9a8876e1db1f94b3eb15c2dfe607917a

Download Submit
C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1 (2)\Roblox Account Manager\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
C:\Users\Admin\Downloads\Roblox.Account.Manager.3.6.1.zip

Filesize
4.0MB

MD5
acc4818f58f1a1d2d2844a05f1aece19

SHA1
e3038c4501bb62415c18bfacca92167ebc4d623b

SHA256
1b94210a7a05ce8379db7b8c11d41f84bc868cbdcd0685733754728678bb5fa2

SHA512
1ca986d1ea6c8c87c590d891b3f29d5123e565e8ba2031728aa2c4b96892a18f00b478b6589ea73f056ec04ff0d07830fa5393c366eb849e80515971d6089207

Download Submit
memory/1656-253-0x000000000A610000-0x000000000A6A2000-memory.dmp

Filesize
584KB

Download
memory/1656-384-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-251-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-254-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/1656-249-0x0000000004CA0000-0x0000000004D14000-memory.dmp

Filesize
464KB

Download
memory/1656-259-0x0000000005940000-0x0000000005998000-memory.dmp

Filesize
352KB

Download
memory/1656-261-0x000000000A890000-0x000000000A94E000-memory.dmp

Filesize
760KB

Download
memory/1656-262-0x0000000006000000-0x000000000601A000-memory.dmp

Filesize
104KB

Download
memory/1656-263-0x0000000006050000-0x0000000006058000-memory.dmp

Filesize
32KB

Download
memory/1656-264-0x0000000006070000-0x0000000006078000-memory.dmp

Filesize
32KB

Download
memory/1656-265-0x000000000AAF0000-0x000000000ABA2000-memory.dmp

Filesize
712KB

Download
memory/1656-266-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/1656-247-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-378-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/1656-383-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-252-0x0000000005570000-0x00000000055A4000-memory.dmp

Filesize
208KB

Download
memory/1656-245-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-411-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-400-0x0000000008FE0000-0x0000000008FF6000-memory.dmp

Filesize
88KB

Download
memory/1656-399-0x0000000008F90000-0x0000000008F9A000-memory.dmp

Filesize
40KB

Download
memory/1656-401-0x0000000009030000-0x000000000903A000-memory.dmp

Filesize
40KB

Download
memory/2400-412-0x00000000008A0000-0x0000000000DDE000-memory.dmp

Filesize
5.2MB

Download
memory/2804-239-0x0000000000500000-0x0000000000526000-memory.dmp

Filesize
152KB

Download
memory/2804-244-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-237-0x0000000000370000-0x00000000003B6000-memory.dmp

Filesize
280KB

Download
memory/2804-238-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-236-0x0000000001210000-0x000000000174E000-memory.dmp

Filesize
5.2MB

Download
memory/2804-235-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/2888-410-0x00000000009F0000-0x0000000000F2E000-memory.dmp

Filesize
5.2MB

Download