8226babff47d9ae4deb0e971e8bd7d7fdaf408ceabec26ed49344c769c35ff1b

Resubmissions

17-08-2024 02:58

240817-dgkalstdjb 3

17-08-2024 02:53

240817-ddal1awgln 7

17-08-2024 02:50

240817-dbzhcataqh 3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RBX Alt Manager.exe
Size

2.8MB
MD5

d7e5999454c8f6989db4e67b62b5f2d1
SHA1

e56856bbbed5c0f284dc0421d492c56846b39349
SHA256

178b0c3fb9a0c32018b1a793d957a9af9353dcf00f127e5e6a7014436af913e7
SHA512

e64c9f8044537c6b86d237ac8d3f46b59028fefadbbf88f87c29a66a5708ebac1f3be5129624755e991e31b4b15bf7fed473984000f701be249e6bae54b190e4
SSDEEP

49152:j7889jveTA80A95HwdBTo0DPU4ne/ow+W7SCjm7gN2nVFanC/BA8q8:j8EqvHKNoMU4nyjI7W0FWwA9

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	RBX Alt Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBX Alt Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4624	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4056	Auto Update.exe
Token: SeDebugPrivilege	4768	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4768	Auto Update.exe
Token: SeDebugPrivilege	4740	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4740	Auto Update.exe
Token: SeDebugPrivilege	4300	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4300	Auto Update.exe
Token: SeDebugPrivilege	4456	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4456	Auto Update.exe
Token: SeDebugPrivilege	3508	Auto Update.exe
Token: SeDebugPrivilege	4624	taskmgr.exe
Token: SeSystemProfilePrivilege	4624	taskmgr.exe
Token: SeCreateGlobalPrivilege	4624	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	3508	Auto Update.exe
Token: SeDebugPrivilege	3204	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	3204	Auto Update.exe
Token: SeDebugPrivilege	2272	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	2272	Auto Update.exe
Token: SeDebugPrivilege	4872	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4872	Auto Update.exe
Token: SeDebugPrivilege	2532	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	2532	Auto Update.exe
Token: SeDebugPrivilege	1668	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	1668	Auto Update.exe
Token: SeDebugPrivilege	2620	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	2620	Auto Update.exe
Token: SeDebugPrivilege	5084	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	5084	Auto Update.exe
Token: SeDebugPrivilege	1824	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	1824	Auto Update.exe
Token: SeDebugPrivilege	1332	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	1332	Auto Update.exe
Token: SeDebugPrivilege	1756	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	1756	Auto Update.exe
Token: SeDebugPrivilege	1648	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	1648	Auto Update.exe
Token: SeDebugPrivilege	1060	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	1060	Auto Update.exe
Token: SeDebugPrivilege	5112	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	5112	Auto Update.exe
Token: SeDebugPrivilege	4724	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4724	Auto Update.exe
Token: SeDebugPrivilege	4968	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4968	Auto Update.exe
Token: SeDebugPrivilege	2976	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	2976	Auto Update.exe
Token: SeDebugPrivilege	4648	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	4648	Auto Update.exe
Token: SeDebugPrivilege	1440	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	1440	Auto Update.exe
Token: SeDebugPrivilege	2952	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	2952	Auto Update.exe
Token: SeDebugPrivilege	2364	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	2364	Auto Update.exe
Token: SeDebugPrivilege	1804	Auto Update.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4056	4524	RBX Alt Manager.exe	87
PID 4524 wrote to memory of 4056	4524	RBX Alt Manager.exe	87
PID 4524 wrote to memory of 4056	4524	RBX Alt Manager.exe	87
PID 1460 wrote to memory of 4768	1460	RBX Alt Manager.exe	97
PID 1460 wrote to memory of 4768	1460	RBX Alt Manager.exe	97
PID 1460 wrote to memory of 4768	1460	RBX Alt Manager.exe	97
PID 4144 wrote to memory of 4740	4144	RBX Alt Manager.exe	99
PID 4144 wrote to memory of 4740	4144	RBX Alt Manager.exe	99
PID 4144 wrote to memory of 4740	4144	RBX Alt Manager.exe	99
PID 2828 wrote to memory of 4300	2828	RBX Alt Manager.exe	101
PID 2828 wrote to memory of 4300	2828	RBX Alt Manager.exe	101
PID 2828 wrote to memory of 4300	2828	RBX Alt Manager.exe	101
PID 1580 wrote to memory of 4456	1580	RBX Alt Manager.exe	103
PID 1580 wrote to memory of 4456	1580	RBX Alt Manager.exe	103
PID 1580 wrote to memory of 4456	1580	RBX Alt Manager.exe	103
PID 1660 wrote to memory of 3508	1660	RBX Alt Manager.exe	108
PID 1660 wrote to memory of 3508	1660	RBX Alt Manager.exe	108
PID 1660 wrote to memory of 3508	1660	RBX Alt Manager.exe	108
PID 4116 wrote to memory of 3204	4116	RBX Alt Manager.exe	112
PID 4116 wrote to memory of 3204	4116	RBX Alt Manager.exe	112
PID 4116 wrote to memory of 3204	4116	RBX Alt Manager.exe	112
PID 2152 wrote to memory of 2272	2152	RBX Alt Manager.exe	114
PID 2152 wrote to memory of 2272	2152	RBX Alt Manager.exe	114
PID 2152 wrote to memory of 2272	2152	RBX Alt Manager.exe	114
PID 688 wrote to memory of 4872	688	RBX Alt Manager.exe	116
PID 688 wrote to memory of 4872	688	RBX Alt Manager.exe	116
PID 688 wrote to memory of 4872	688	RBX Alt Manager.exe	116
PID 2244 wrote to memory of 2532	2244	RBX Alt Manager.exe	118
PID 2244 wrote to memory of 2532	2244	RBX Alt Manager.exe	118
PID 2244 wrote to memory of 2532	2244	RBX Alt Manager.exe	118
PID 4344 wrote to memory of 1668	4344	RBX Alt Manager.exe	120
PID 4344 wrote to memory of 1668	4344	RBX Alt Manager.exe	120
PID 4344 wrote to memory of 1668	4344	RBX Alt Manager.exe	120
PID 3376 wrote to memory of 2620	3376	RBX Alt Manager.exe	123
PID 3376 wrote to memory of 2620	3376	RBX Alt Manager.exe	123
PID 3376 wrote to memory of 2620	3376	RBX Alt Manager.exe	123
PID 2212 wrote to memory of 5084	2212	RBX Alt Manager.exe	125
PID 2212 wrote to memory of 5084	2212	RBX Alt Manager.exe	125
PID 2212 wrote to memory of 5084	2212	RBX Alt Manager.exe	125
PID 208 wrote to memory of 1824	208	RBX Alt Manager.exe	127
PID 208 wrote to memory of 1824	208	RBX Alt Manager.exe	127
PID 208 wrote to memory of 1824	208	RBX Alt Manager.exe	127
PID 3936 wrote to memory of 1332	3936	RBX Alt Manager.exe	129
PID 3936 wrote to memory of 1332	3936	RBX Alt Manager.exe	129
PID 3936 wrote to memory of 1332	3936	RBX Alt Manager.exe	129
PID 2848 wrote to memory of 1756	2848	RBX Alt Manager.exe	131
PID 2848 wrote to memory of 1756	2848	RBX Alt Manager.exe	131
PID 2848 wrote to memory of 1756	2848	RBX Alt Manager.exe	131
PID 4304 wrote to memory of 1648	4304	RBX Alt Manager.exe	133
PID 4304 wrote to memory of 1648	4304	RBX Alt Manager.exe	133
PID 4304 wrote to memory of 1648	4304	RBX Alt Manager.exe	133
PID 4216 wrote to memory of 1060	4216	RBX Alt Manager.exe	135
PID 4216 wrote to memory of 1060	4216	RBX Alt Manager.exe	135
PID 4216 wrote to memory of 1060	4216	RBX Alt Manager.exe	135
PID 748 wrote to memory of 5112	748	RBX Alt Manager.exe	145
PID 748 wrote to memory of 5112	748	RBX Alt Manager.exe	145
PID 748 wrote to memory of 5112	748	RBX Alt Manager.exe	145
PID 5044 wrote to memory of 4724	5044	RBX Alt Manager.exe	147
PID 5044 wrote to memory of 4724	5044	RBX Alt Manager.exe	147
PID 5044 wrote to memory of 4724	5044	RBX Alt Manager.exe	147
PID 4440 wrote to memory of 4968	4440	RBX Alt Manager.exe	149
PID 4440 wrote to memory of 4968	4440	RBX Alt Manager.exe	149
PID 4440 wrote to memory of 4968	4440	RBX Alt Manager.exe	149
PID 3660 wrote to memory of 2976	3660	RBX Alt Manager.exe	151

C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
"C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        15⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        17⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        19⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        20⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        21⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        23⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        24⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        25⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        26⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        27⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        28⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        29⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        30⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        31⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        32⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        33⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        34⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        35⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        36⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        37⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        38⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        39⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        40⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        41⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        42⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        43⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        44⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        45⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        46⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        47⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        48⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        49⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        50⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        51⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        52⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBX Alt Manager.exe"
        53⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" skip
        54⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Auto Update.exe.log

Filesize
1KB

MD5
549abf1686938422180e8d59739819cb

SHA1
bba40eb67f7170bc4896fd12cd307fc5ba006e6f

SHA256
4ae2b577dd16efb5eadf03f06daf710d9977e9e8b79cfc9e31dab295fd5b12f5

SHA512
bf4b7898d6e259e8667eae36f294fcc0ae91dfe8e32da120d9078c1bac039037d2709e5f2bdee76d198330b9d36e235723f82af15b7d634a43abd1c395593cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RBX Alt Manager.exe.log

Filesize
410B

MD5
3bbb825ef1319deb378787046587112b

SHA1
67da95f0031be525b4cf10645632ca34d66b913b

SHA256
d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0

SHA512
7771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.zip

Filesize
4.2MB

MD5
d58b79cb3d3635ba963427362f75d075

SHA1
0e33eeff9b625fceb2d2d0195e6f32523d57db79

SHA256
49b2c015da0851a2ed43820799a7bcda08e1bc5f315e107598f87f4b1bd36dac

SHA512
176de76618d0dc43f17e2971787666b737d7308a67f40bd2bb82ab4f0d3276f877fbeb7cc987f797e6572ec736c29d8568f441194a45cb5ba8d751bf139ab79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update\Roblox Account Manager.exe

Filesize
5.4MB

MD5
334728f32a1144c893fdffc579a7709b

SHA1
97d2eb634d45841c1453749acb911ce1303196c0

SHA256
be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

SHA512
5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f

Download Submit
memory/688-95-0x00000000015F0000-0x0000000001604000-memory.dmp

Filesize
80KB

Download
memory/1460-28-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1460-26-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1460-27-0x00000000053B0000-0x00000000053C4000-memory.dmp

Filesize
80KB

Download
memory/1460-30-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1580-53-0x0000000004B30000-0x0000000004B44000-memory.dmp

Filesize
80KB

Download
memory/2188-220-0x00000000010F0000-0x0000000001104000-memory.dmp

Filesize
80KB

Download
memory/2212-124-0x0000000000C40000-0x0000000000C54000-memory.dmp

Filesize
80KB

Download
memory/2828-45-0x00000000013A0000-0x00000000013B4000-memory.dmp

Filesize
80KB

Download
memory/3660-191-0x0000000004DB0000-0x0000000004DC4000-memory.dmp

Filesize
80KB

Download
memory/4056-10-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/4056-11-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4056-16-0x0000000009720000-0x0000000009732000-memory.dmp

Filesize
72KB

Download
memory/4056-25-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4056-15-0x0000000008090000-0x000000000809A000-memory.dmp

Filesize
40KB

Download
memory/4056-13-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/4056-12-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4056-21-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4304-153-0x0000000002F00000-0x0000000002F14000-memory.dmp

Filesize
80KB

Download
memory/4524-9-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4524-4-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4524-7-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/4524-6-0x0000000006640000-0x000000000674A000-memory.dmp

Filesize
1.0MB

Download
memory/4524-5-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/4524-1-0x0000000000DA0000-0x000000000106A000-memory.dmp

Filesize
2.8MB

Download
memory/4524-2-0x0000000006090000-0x0000000006634000-memory.dmp

Filesize
5.6MB

Download
memory/4524-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/4524-3-0x0000000003490000-0x00000000034A4000-memory.dmp

Filesize
80KB

Download
memory/4624-67-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-76-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-75-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-74-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-73-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-77-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-78-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-79-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-69-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/4624-68-0x0000024644FA0000-0x0000024644FA1000-memory.dmp

Filesize
4KB

Download
memory/5044-176-0x00000000018C0000-0x00000000018D4000-memory.dmp

Filesize
80KB

Download