6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3

Analysis

max time kernel
149s
max time network
160s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RBXIDLE.Setup.3.0.0.exe
Size

144.1MB
MD5

f7cd23293d037af068d7b4552f8bcee3
SHA1

32485a4bb72cb1646a3028836378015cbcde2180
SHA256

6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3
SHA512

f31091dd3f6c86e39fd861e35a5213ce9fcec676a8e7f33abb71fb8c48a5ca648127bf07ecfe249aaa9e039281689b789407340f4c7476a6f1bfb721b63978aa
SSDEEP

3145728:JPFNsCo0L7fiLGL5n6PT6Lr0UOkyJQweGopgu9CzxxNEQFSvyrzkfC0T6:1FN4SUu0UOkyJQp7pH9krNQvYgfw

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1516	powershell.exe
1720	powershell.exe
1340	powershell.exe
2420	powershell.exe
1328	powershell.exe
2552	powershell.exe
1936	powershell.exe
2172	powershell.exe
1252	powershell.exe
2300	powershell.exe
780	powershell.exe
1624	powershell.exe
1136	powershell.exe
3056	powershell.exe
1244	powershell.exe
2588	powershell.exe
2844	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2724	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
104	discord.com
105	discord.com
106	discord.com
107	discord.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe

Executes dropped EXE 5 IoCs

pid	Process
984	RBXIDLE.exe
2792	RBXIDLE.exe
3024	RBXIDLE.exe
2112	RBXIDLE.exe
768	RBXIDLE.exe

Loads dropped DLL 32 IoCs

pid	Process
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1188	Process not Found
984	RBXIDLE.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
984	RBXIDLE.exe
984	RBXIDLE.exe
2792	RBXIDLE.exe
3024	RBXIDLE.exe
2792	RBXIDLE.exe
2112	RBXIDLE.exe
1188	Process not Found
2792	RBXIDLE.exe
2792	RBXIDLE.exe
2792	RBXIDLE.exe
2792	RBXIDLE.exe
2792	RBXIDLE.exe
2792	RBXIDLE.exe
2792	RBXIDLE.exe
768	RBXIDLE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBXIDLE.Setup.3.0.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b279dd0d39db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0520AAC1-A501-11EF-A97E-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000006830c4739ad10694f0d2cf8c5cc505a415da5d72800d6a43c453d442bebd2af7000000000e80000000020000200000004ba9e4da7b717ccbfa29998c35dbd7cfac4e0e17077333ba9be5e355c027f56c2000000000d0643100fa2a1de785ff88b2dca661ce39168ee4b6d28a6e40615a25c66382400000009e0e5098849e4048d986ce4473b02fe0b32c2e08eaf1542506660d531e6d512c9774f451c7389f84edc186e54df9ffbf615953a9995cda56f12742723f2d418a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438022795"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000075069c5dcf90ab4b4028624e63369029dfd3c64aa326fd33f39eddc8de563f30000000000e8000000002000020000000d33cda658cace9d87a439a2c6ea485295e7b697b399af1e171968edc176541b7900000002154c54372dc731468ea31b505e7bcbff45d329832d453209aa43dbf26e6a6b5b08104890c54f71e3194981ecc7b31b8d1b13fffeacaffcb1de7f8e740b3c9c8b2d63e8ebadf48bcae5523548d6282e1b214c52967b9c2347a78996da1a9286ce31a9e47cf976c54c3f112fe4f2f7605ae82d7ae20013f18ad7b494d84f68a039151843bd85991e95ea24bf6e980ec964000000007858356fbf6a621ef99e627e5ea7b522b0f89605a9ab2acfc7e8be741d91f8d7323152c3e7689c21dc99eca4f1bc9a309d89d5e316aa4c85d49b3f689ccc6f7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RBXIDLE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RBXIDLE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RBXIDLE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RBXIDLE.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
1720	RBXIDLE.Setup.3.0.0.exe
3024	RBXIDLE.exe
2112	RBXIDLE.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
1516	powershell.exe
1244	powershell.exe
1328	powershell.exe
1136	powershell.exe
1252	powershell.exe
2300	powershell.exe
3056	powershell.exe
1720	powershell.exe
780	powershell.exe
2552	powershell.exe
1340	powershell.exe
1936	powershell.exe
2420	powershell.exe
1624	powershell.exe
2172	powershell.exe
2588	powershell.exe
3832	dxdiag.exe
3832	dxdiag.exe
984	RBXIDLE.exe
984	RBXIDLE.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1720	RBXIDLE.Setup.3.0.0.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeRestorePrivilege	3848	dxdiag.exe
Token: SeRestorePrivilege	3848	dxdiag.exe
Token: SeRestorePrivilege	3848	dxdiag.exe
Token: SeRestorePrivilege	3848	dxdiag.exe
Token: SeRestorePrivilege	3848	dxdiag.exe
Token: SeRestorePrivilege	3848	dxdiag.exe
Token: SeRestorePrivilege	3848	dxdiag.exe
Token: SeRestorePrivilege	3832	dxdiag.exe
Token: SeRestorePrivilege	3832	dxdiag.exe
Token: SeRestorePrivilege	3832	dxdiag.exe
Token: SeRestorePrivilege	3832	dxdiag.exe
Token: SeRestorePrivilege	3832	dxdiag.exe
Token: SeRestorePrivilege	3832	dxdiag.exe
Token: SeRestorePrivilege	3832	dxdiag.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3548	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3548	iexplore.exe
3548	iexplore.exe
3764	IEXPLORE.EXE
3764	IEXPLORE.EXE
3848	dxdiag.exe
3764	IEXPLORE.EXE
3764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 1284	984	RBXIDLE.exe	33
PID 984 wrote to memory of 1284	984	RBXIDLE.exe	33
PID 984 wrote to memory of 1284	984	RBXIDLE.exe	33
PID 1284 wrote to memory of 3040	1284	cmd.exe	35
PID 1284 wrote to memory of 3040	1284	cmd.exe	35
PID 1284 wrote to memory of 3040	1284	cmd.exe	35
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 2792	984	RBXIDLE.exe	36
PID 984 wrote to memory of 3024	984	RBXIDLE.exe	37
PID 984 wrote to memory of 3024	984	RBXIDLE.exe	37
PID 984 wrote to memory of 3024	984	RBXIDLE.exe	37
PID 984 wrote to memory of 2112	984	RBXIDLE.exe	38
PID 984 wrote to memory of 2112	984	RBXIDLE.exe	38
PID 984 wrote to memory of 2112	984	RBXIDLE.exe	38
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39
PID 984 wrote to memory of 768	984	RBXIDLE.exe	39

C:\Users\Admin\AppData\Local\Temp\RBXIDLE.Setup.3.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\RBXIDLE.Setup.3.0.0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
"C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:3040
- C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe" --type=gpu-process --field-trial-handle=1028,11186204794569995411,6045548843151678026,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1036 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2792
- C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1028,11186204794569995411,6045548843151678026,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --mojo-platform-channel-handle=1356 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --app-path="C:\Users\Admin\AppData\Local\Programs\RBXIDLE\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1028,11186204794569995411,6045548843151678026,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1496 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --app-path="C:\Users\Admin\AppData\Local\Programs\RBXIDLE\resources\app.asar" --enable-sandbox --field-trial-handle=1028,11186204794569995411,6045548843151678026,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\f5b7a1e57434f4dafc4d560171a8efbb\execute.bat'" -WindowStyle hidden -Verb runAs"
  2⤵
  - Hide Artifacts: Hidden Window
  PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\f5b7a1e57434f4dafc4d560171a8efbb\execute.bat'" -WindowStyle hidden -Verb runAs
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f5b7a1e57434f4dafc4d560171a8efbb\execute.bat"
      4⤵
      PID:1864
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass Add-MPPreference -ExclusionPath C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass Add-MPPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\RBXIDLE
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "explorer https://discord.gg/XB94k6SxWN"
  2⤵
  PID:1084
- - C:\Windows\explorer.exe
    explorer https://discord.gg/XB94k6SxWN
    3⤵
    PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml"
  2⤵
  PID:3644
- - C:\Windows\system32\dxdiag.exe
    dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
    3⤵
    PID:3696
  - - C:\Windows\SysWOW64\dxdiag.exe
      "C:\Windows\SysWOW64\dxdiag.exe" /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml"
  2⤵
  PID:3736
- - C:\Windows\system32\dxdiag.exe
    dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\dxdiag.exe
      "C:\Windows\SysWOW64\dxdiag.exe" /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\f5b7a1e57434f4dafc4d560171a8efbb""
  2⤵
  PID:3876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3140
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/XB94k6SxWN
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3548
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
1f07efd09b9c9b83b535961f12dfdfe8

SHA1
1318fefe231e07ef46920bac03ddcffbfba8cb54

SHA256
9c260557278b4540f58e2efc895c515d2af8b69b58fd7bf6eabe476f679dfb29

SHA512
65a57fc012ab095a3399bb290a313b4930b63275ce0de9f6be801754773a469d07be5f597edc48028c2ca13c6cacec81ba1e2803c31fcba6fc60f5f24aaea1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b75f0b78227d24d431804cc202f3a578

SHA1
a40c8c48e7bf686c624c29bf02a6219a977ebcf8

SHA256
f0e56edc4079970219b2ca8a491b34cde8ff16e0a733cd2217ce381b82aff9a1

SHA512
5d5550cb112728a0462c51f2ef5893798419ef33f3701267d0b45ca151e89ac2956df4a88fee160fa4ed3b87dca92790f5309027e5641ec7a893ce4eb3b3c127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80483164c28207e97e5f7a1079551c42

SHA1
c3278666087663b2246558ae8754405d338fd844

SHA256
ad56148077af7cfdf3fde351af5f867752bc95cd520b45f3d3ea884cf2b10914

SHA512
4620874d216ff7883e8f274184b18a4a3c352c80e907b55a603659d69ec205e05a12932c3aacab7e01d688f592dcf42a0d094e390baa1e17a296373521832edb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33107646645c265b6d97367320127d4c

SHA1
2c60eb3bdb75aef1ccb8ee0770de3d2d35d506c0

SHA256
48b774902f1e68d891413b06c3cbbdcb549d69d3cf634867f046b189b68bc324

SHA512
ff8bea8abf839a7439586ce94cccaed1aedba3cd3d6a1eeb93f425ec5f79a1db4d01ae1f50e8ed51e565b8e2344264a8b82cf165a75b762c6421d4f5220d9cbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6026780d906cc084501624c9ffd44686

SHA1
0037ddb803758befb9ddd11e37da9561ec95b493

SHA256
cae02cd23e23f37086bf865c9165669719bcc96dcb9c7f04c3f67b75ac0b1572

SHA512
1c60b8c734a773c598dc46f1f2c849147d3f8f2d9aad6b9e777bdd718469017085cc12e2dc07984a8d519a2dc0185125012565ea2e59446a1a0594ee5c81e362

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9efb321fe542ea5403f0b5a335553178

SHA1
86955ff07df2f7f8dee3114014ed2e2d715b5817

SHA256
67d1d76188d74df2da883db54b4b68e5a073581b978c4de914aa7a06f695e296

SHA512
def17c0c2849c168d204a8292852047225c2d629f13297b1c777502ab35c6a7d458413c65b949ce568b08468407199c574fcecbc27fa15d3ccad1ad02a37163d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b02048d2b603c52041a2b5a903fcccd

SHA1
aef7fcb4135c2748d841f8e10185eac89ee2c11c

SHA256
2fe0e5f78c80bd025b8aa423dfd09b40b7eb40c190e0e5253b5bc54f5485cb47

SHA512
2fe141c2981ebe60c78e516e92f7142458171a10ad53f07f80e4f0d0ec54f4fa37a8e9bbefc9bea1b6cd233fda3c28015d45eecfde3b26613b6c4434fc051e13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8f07b70f63fde0a47c1f7ad889c0e0b

SHA1
ae679961aab045f3c4b98c73b831c068e032e8e5

SHA256
183535330a11fc117b2eb58becbac3d93d0b01b117c78860a152de943f00aa84

SHA512
2bab237e3e2aba3ac8e3337bc32beb218e01b8db3b7ce10c991d1787faa338db27a793312801861ba5aa0a4468276773133cb399e083f9714b1e3af904c982bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6091fcd884223e81d393ecde3a94d652

SHA1
e5c093fe7eb35a67b6e796e19f00268ff4273d8a

SHA256
c1cd71a3b4a6dcd0b110306a6823f09325ff10a121389c7e58cd9f66447dd0b2

SHA512
544b51c578b69b5fbf8b1a3f6f59d0c63e5c1b419866c44499c0b99b7f87f53684983a2548790f6e2a6a5c2c9863957c4c5e051428effbdf19ec8e54b09fddb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2069ac36506e9a462a2441c91e78e35

SHA1
1dadaf4ba28860c55dd9f66a8e335a45219d1fa9

SHA256
100cdb05cb3dffffb255c865bf9645058c79b3a8006b150e4390cf22978335da

SHA512
9a902b25079b3f20836ec86348d37298a01eeb4daa629c34a0bf8ae5b8cabbd80995ef09f41e440aff8611d121df1d111180db73634e8acfbeda3c9fb195dbaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb2fbaaee4cf3387e19edc340d08e079

SHA1
4ecfc672a15321b2533885b5b9a8653e1dada90d

SHA256
1916200e38464494dafc47670fca96df56145df9c9bc1f4a943887693601cb63

SHA512
0d7b58a214776b1ec4652b56ea436e5c7a40ecce2b7127f7e88de3e01783f43c9dd148a2ff5b9cae71434a96ebab124e371ca673ebe6d3d8cfbad2456b6407ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02b380a282e690e25e4b7458060c53da

SHA1
f8e340c7575ce12176f0d03576b9f5e5f49fdd76

SHA256
27b87ddad221c05ebbf7311e03c79fa7654cd42faf58e9c81cf75e162ec11960

SHA512
f191b027e3349ae3617da0a1e1314ca08b4126d36f377273f492c0eb26c20207604f1176840e541e588e1aa376dc065464710ca5cc02c0fd1a6be821186fe757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0978e2c632b0a8fc6c52bb50335d7a8c

SHA1
d3e08429f14ca5385301190e61637e0ab29089d0

SHA256
fdfcda738af48275f66669922eea3c6a5cdbc932ec8110fa9aedc257b71439fb

SHA512
87caf6ac85cb57c716718eb7ebe7d4877d5da1b25a956e8a74fabe409d2e7fc53fdd4cf622e6fb18c057e7768caa0170a97ad6f00af714b233a52717277f38b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
756fcb30901470a7c6b6986da997ae2e

SHA1
fdfaa4a9eb317a20d76b22ad460e2f7faad6b4f1

SHA256
425a7f7efb4944a1693e02078be970b54a165903548abdf995d3556bcdd43dc2

SHA512
856e1705ced5965b70b8153d6c32cf8d0ee442d974873e9293b6a7316b3f547bde3e89221bf4016fbabd287f939bbdc6770b7fb1ceaaff2ffe1805396743f3ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cfc3ce77eaff7119e954cc1ac657b79

SHA1
399246e0acdddfa841f617e6dddb2b8fed1d986e

SHA256
79f37a9d7cb17ae3c8c817bd27351b9e4ff7bfe410282b33da79a57e80b055a3

SHA512
9c7a58c964335cead38a8d022c81940b99dffb38fddf44ead6055dc457b1ea27f7291ee1a5045e045c9b25f2f1f3b1228a4b74a53d2c4b81cdddb1257e54b374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12584d1ba93920c66aa16f228d22f83f

SHA1
c0037987eb1d2a9c085c56fbd8f86b5e7fac496a

SHA256
a9cd83b92fa1aeefffbdad47534a5720a8b791e2f8968cd60bbe064dcac11bdf

SHA512
4ca097d217702f78fb82fe6c0871748368e7bd68af1c96f9e079ced82fe4cf13deddc2ff40709ead27f0a1f27585cf55cde09b62cc90040c3830037b58d14f2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae65a9668d4959110590f00a8ebd0617

SHA1
518c49db6d2fd2dae61fd70d08574a2197d3ad5c

SHA256
c6c9c5fed546a8cfe7cd0f73f15e96bc9fcf85fbb81dad5f286233716fabfe73

SHA512
d0d65cbf45f6fa960520fe5014ce062292faff09f8b03091f708f36b6332c9b5a3bf9626ca27b3b7fca5e9905ffb145fa797cbbb48f44e247fd5b098fc78e308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
326c89a01122f0686365773a9618b31d

SHA1
7d9d282502eb883436b1ed8fbcecdcc26516002b

SHA256
148cae4e6dca0e200d6eec6767ac15435db6c9bf8d69178813d3984dec0f5cb4

SHA512
537fbb5c2561f9a001912c44c86ea14bf56c804be840677d32f4071e70433cb17f0ce94fd67e58087ac13cadbf9cf24c05a87045649e5c622e56da1974657fe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c86eea0c3aa114593793f52f195a5807

SHA1
b37426dc3cea52e39e6a67c689b8c92759c7946c

SHA256
4920006f0bcc08e8c221a79293c800892f846434448af5916e369afc6485d1f1

SHA512
3dd2f483d996739cec876dd388acb7864b3c6f60a48d676c2896627e842d9c655deb447c907828fe6d3329c744ed0f5947904276ae65238b943080caba4a034d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d283a6ef6753f774a549dac7454fa7f5

SHA1
c145395999b36738f531b743e6e87be324c554fb

SHA256
f4293254bda98d7f588fc2f9a568a990ab208980b9f215286c4d380aaf58174e

SHA512
50e095d0af8f5b521073dd8d5a7a839f872da0cd0b75d69e57a74b537c357577fcef9ccb69ee8ecf83a2b189eb94cfb8c9e6cd8a8b70b02b358098fa96427706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
284354cbca1bd8efd2e935da951cf8f8

SHA1
6ba3f77a1c24e37ec1315e71be88eb56acc59d57

SHA256
304e53a25ca6274d63703122835b313e2d3c7230ec56888e65d370fbb2f9da0f

SHA512
63cfe2440c162eb16c2e422aa96f554768c95ff28c8e3334a0f8beeedad4877e7c55c6decb64386390a4b804332325ed8c4ab3dbdadb088bf9aa6b514a191b31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fc02bb1a061f959388611d366982ec9

SHA1
acc8a4b8e13e9ce905a60adbd41776addbb61ebb

SHA256
fc25f92c1de0698035510e76251fa386ccdc62b140532bd9611625285b56f773

SHA512
aef61c2016cd8b8049885c300daac2f720965cdc8820817aabb0216dd1e0b92c9fa91a12f684b53de61bafd9395fab74a875bba2150a875530aa996807b33a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04fe363dd338da405ea639bb1fc881f1

SHA1
e669ae12d2b84454213818d39655134e28996e6e

SHA256
e9132d61045c0b0b7186bc0aa3edebfacaac3b50000a4ce7a1bd34fcebda63c3

SHA512
cf4fccdae94924d8a3ad0d1a443153fd2047ae131b48342cbd4c1a86986aa4b9c3572cac04320a41b14601a313f149ba9d113638d05a2531a442c18553cd3f26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ce8b7d2315ac515e4b8c317aa91bd347

SHA1
05f3191de202ba1594dd5f77ae62e4fbb6c0f068

SHA256
4bbf03b39f6f0bd0ec61f2f34174dbe2c580d487b7175aa485927f2214e25c66

SHA512
48d280471cc091c0ef17926cb85d9d8565738da6699c208a756d7ed12fbc02e56455744e4949cd909fc4cc1ac0aa69b4f4407416f320a389dc74f3046eeb2892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\chrome_100_percent.pak

Filesize
138KB

MD5
0fd0a948532d8c353c7227ae69ed7800

SHA1
c6679bfb70a212b6bc570cbdf3685946f8f9464c

SHA256
69a3916ed3a28cd5467b32474a3da1c639d059abbe78525a3466aa8b24c722bf

SHA512
0ee0d16ed2afd7ebd405dbe372c58fd3a38bb2074abc384f2c534545e62dfe26986b16df1266c5807a373e296fe810554c480b5175218192ffacd6942e3e2b27

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\chrome_200_percent.pak

Filesize
202KB

MD5
1014a2ee8ee705c5a1a56cda9a8e72ee

SHA1
5492561fb293955f30e95a5f3413a14bca512c30

SHA256
ed8afe63f5fc494fd00727e665f7f281600b09b4f4690fa15053a252754e9d57

SHA512
ac414855c2c1d6f17a898418a76cce49ad025d24c90c30e71ad966e0fd6b7286acf456e9f5a6636fd16368bc1a0e8b90031e9df439b3c7cd5e1e18b24a32c508

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\icudtl.dat

Filesize
9.7MB

MD5
224ba45e00bbbb237b34f0facbb550bf

SHA1
1b0f81da88149d9c610a8edf55f8f12a87ca67de

SHA256
8dee674ccd2387c14f01b746779c104e383d57b36c2bdc8e419c470a3d5ffadc

SHA512
c04d271288dd2eff89d91e31829586706eba95ffbab0b75c2d202a4037e66a4e2205e8a37ecf15116302c51239b1826064ed4670a3346439470b260aba0ea784

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\locales\en-US.pak

Filesize
95KB

MD5
214e2b52108bbde227209a00664d30a5

SHA1
e2ac97090a3935c8aa7aa466e87b67216284b150

SHA256
1673652b703771ef352123869e86130c9cb7c027987753313b4c555a52992bab

SHA512
9029402daea1cbe0790f9d53adc6940c1e483930cf24b3a130a42d6f2682f7c2d6833f2cd52f2417009c3655fed6a648b42659729af3c745eaa6c5e8e2b5bb9e

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\resources.pak

Filesize
5.6MB

MD5
0189f72b35a76ffcf33f457c1c5c9ed9

SHA1
744724f2c543f1a3f6f0dbd1f1a773ab92e052d3

SHA256
eccc333eb22909c05dd55ac45429fac3e0322c83d31e83a57447025af91e69cc

SHA512
ba10319a86aef87b21435a81c961239a1e61a6edb1efc39066283b2376d250441f52b46079768ce0de5010d64c69629faf2635ea365145905304c46789d7e9e7

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\resources\app-update.yml

Filesize
91B

MD5
89a87240dd48d49663488139c41d10f0

SHA1
9cc1f64a3529160741a683b39dff9aa184f3d2f1

SHA256
6fe43f1f33de29426d24af215ac34862e89619a79ab8b7afdc8c1d72a97fc285

SHA512
31fd3549aadf1305c7eb98d261ddecfe24e3c22816a8de3f8da68567b08bc622432dd431d609b1fee7140937c80aafe3794809065deaffd169bb03839891a0e1

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\v8_context_snapshot.bin

Filesize
160KB

MD5
03c3851343e11392b24b91897910b060

SHA1
9ec2de38a63ed606c1ed545f583ac427b48b3192

SHA256
0abf6a4b73a4abf6e43eb8eac6fa9399164166502de4fd23e9a659f47a416600

SHA512
80144fa894ff193027b4ff24a0d4301e41d5f0fbc39dc1e5c14f2834e9092765739a956260182396f275faabfe07329c685bb095a9aa72286141d9b1cb0a354a

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4CC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF57B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5b7a1e57434f4dafc4d560171a8efbb\command.bat

Filesize
322B

MD5
694d0e0cfad90ec5fa987eab1dbc8025

SHA1
97891323366f0b51f7294bcbb101dfddbbc16a5e

SHA256
bb569cf53989a6fca920247303e6187b4ef0ecf42ab278a4c637899200b47c01

SHA512
43374ae735f550d4ee23d7b2b3aaa87658f5a4c82217b4e66825df9e7efdd487abcd1a1049ff2b3169956d7321f5f910fd02cef1f7df8c5529f30a00826125d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5b7a1e57434f4dafc4d560171a8efbb\execute.bat

Filesize
352B

MD5
94f529db0a5c4e0b89900bf61e288fb1

SHA1
e9a4b8231bdc37ee8270c94a11f4f877ec3595a4

SHA256
ca7adb7a7fd4bdb8826f0553d54459b0b98b49a52f3b803ac44b1ced8698ca59

SHA512
6752f4831e7060347fe9e85ec9bdb30cb794e4b6dda843240224e79a10d350a28170d05c5c313e1bf6493c6a8bf176fc129d9761996abb76f35d1fc8eb008352

Download Submit
C:\Users\Admin\AppData\Roaming\308c8bf2-452c-4d54-8f3f-e329a5db250c.tmp

Filesize
681B

MD5
56c04bdd23aecd1ff7dfe5b5ac217207

SHA1
c892f9d3fba7f00092db2dd0d626a74e672f3e16

SHA256
c7a31f0ea05952b2ec900057e701252e873af960e75e9cb9310bdfeec4d70add

SHA512
01a8a95b340a0aaa065f767422f75a6961812502bbfb4d10af07e830dd18fa10264514a4abfee504a98e257e93de0862c8de6f535c3f38e5c598a176a5e52d20

Download Submit
C:\Users\Admin\AppData\Roaming\7c544e36-3f8c-4e8a-b9de-2572ea7afad4.tmp

Filesize
683B

MD5
8fa33c760ab9dfac1e53c8a01ee80a93

SHA1
8e51b227829d1d86b5a504992a11184c8de27861

SHA256
a76fc6491a6239eb9b5ff42da77b4966dbb28cbb9393a6e85e9d16e2ffa74a8d

SHA512
562c9ad992933175955d03bf7666b775cdbd843599d59c8cc191200d2e164c177b302bda830d42cdd2c7834ecb8af476cbbe173f9cf0227ebbd21463e61f383d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
02e5aeef95892d105e8a44b63dd6a720

SHA1
f404eb6dc049369ad4360bbec67289ba650102ef

SHA256
b1da1d73303b80d826f0f79adc0e1846d3c01233b5a62bf2adb1b7d91d2083bd

SHA512
e3fda3576c2365ad5695ef77c0461263c7f3751d7113c120a68a7fc128e8f6b6f8768299445b350a8b44124333943f17e8bf0bbd830ac00135c96166c7a594b4

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\68e38be0-b393-4b59-b0f1-ae52c8fceee0.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
c7f50d5ad1aea0ac2a6cb52b71065754

SHA1
d2084ee7c6ecd1afa95be0c83009015603161cf1

SHA256
2cdf40c39e6d7b6cfae7b4d3b1f4b62a16d14c22a27a5f836d631b06d8e6b4b1

SHA512
47a380b4b9bea63b53885cc5c91874151f976e82385ed4b109f7c0819351dbc74d43ea95f1c25aa04da6df07244c002e040f3a58766610b0c41ab5d4e02695f4

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Dictionaries\en-US-9-0.bdic

Filesize
441KB

MD5
a78ad14e77147e7de3647e61964c0335

SHA1
cecc3dd41f4cea0192b24300c71e1911bd4fce45

SHA256
0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa

SHA512
dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Network Persistent State

Filesize
4KB

MD5
86fbbf5b3b2a29040ed5de3edd9cd59a

SHA1
cbe1ca2f6292dbedcc2b6af6d7ce29ebad6cfe32

SHA256
b85e5a0d1119c8e44b0dbf956422c091a090ad0bc5995d41839223269cd4bbc8

SHA512
7ab0611573de930c4b1ed6a28b45bd9cac393d19ca2b93f2d5e3ac94313ad28de01b2272ab07604964dcc5bbebcc1f673cd88d204fce4de95b82ca88398e6e4e

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
eacb737234571cffdcdcedc1a3ed6d56

SHA1
e5201e213e5ef491fa8123a4f7b00bb0d45595ab

SHA256
8ca300269f9f0b1c2f23431bc3c13754bc98fae21d868aef89ddc36d06b33088

SHA512
e13080b4ce57c712826402bf9c7a8c9f830a38cdc422d6b853a6be082cfac44f872df2bd65a30d99f21b7bd55f253d9a53268c259867a9dab00447ec72ba8770

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\settings.json

Filesize
347B

MD5
8047fc3366013b1cc8dbf7633f74811a

SHA1
98a86aa87be2bc071cd94454dcb4082606c7cd1b

SHA256
2d3b44c11772645dcaa75e4717fb1daf7638daa4502bcdf71ac3e2613636b216

SHA512
b2d1d23da8c45338a74002ed2650c1ab69ddc53817066ff02835b37e86b5c4963bc12a2e9fa3785a246bc55b4a6d960079cff657f414570681fe6c8916a8be25

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\settings.json

Filesize
348B

MD5
4a58dbd34f75b18cf87e9e72b2d8a81c

SHA1
25a1dd0700f9884df115e0e0ea7f9c5670cd6588

SHA256
0ca18509cb873c5ad0cd900f47745edcdd86e2f162372e8086e215224b56dc75

SHA512
ccadce3a59ed7fa43c2f3ed4a94150d61e4bdd932e5d864fc4971786fafa1b32f58cba1fb47a70211403145aa79535ed05054c4c80ebda9387da8c0b27f3b6b0

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\d94c6393-4bcb-4604-92e8-12e33a413665.tmp

Filesize
681B

MD5
16e89c67c7970391f8110e5c41420d6c

SHA1
85aa7a2349f861b99aa3dadfdc40cc80fa3e82fe

SHA256
af652429695a21290dec4f8eaff7463a872d7469aa015215a9186dd8a92795d8

SHA512
7d0d9b8ac9910d4ed6119846be0d5be60a0aaecd437a503da3f46298c5b34addf87b77943e0f093e88e1282d5768be95b2eba6e907d9d4ffd35aab3b061e57ad

Download Submit
\Users\Admin\AppData\Local\Programs\RBXIDLE\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
\Users\Admin\AppData\Local\Programs\RBXIDLE\ffmpeg.dll

Filesize
2.6MB

MD5
e75e08c888c96422068a7dec5b1844e3

SHA1
3ef8efcd066d218b116290483099ea610f722a7b

SHA256
6145fb062a750ff9d8f2b3ab4b7e07e2d9c1763acbb975b0cbe1123ed274f23e

SHA512
617e99ffb60e49a9576d42621dc5ce99c55db60af6f0c40a220a994409c7b82aec6bebe226d299bcd7a1720d3264001aa363b40b1460e023cff48eb6ca6ad153

Download Submit
\Users\Admin\AppData\Local\Programs\RBXIDLE\libEGL.dll

Filesize
431KB

MD5
2abed6d1a85117fc8e319db10303df46

SHA1
b8adf5c210d4d8cb7fe47d1fcbe5aaffef6a7c1b

SHA256
13bba503fb0ad061b3b32f3a1580c50e3379c8f8da4de009c85bca294ad0d6e8

SHA512
020a3c1f58f3eecaa992ea59fa09ba49fe5da6d117988235a847eec7bfe4256093dd1fe2e8c017260eb6c23f7602a67d49c10d5f8d1afe21af848f2f96c11b7e

Download Submit
\Users\Admin\AppData\Local\Programs\RBXIDLE\libGLESv2.dll

Filesize
7.5MB

MD5
bdef859433e7d3aa28c09e0e56bcc527

SHA1
366f2249676473754866559b442ef2e54df2544f

SHA256
8c13a4b5754ce67f97df2cb4ed356e44e4d902002600136f07c0d6b6837c182e

SHA512
4cc22db001d9f94db1443f64d124baa84b20e234d18c523d2dad62c8ecf421884b85c56ea080e81d52a96d5141decee3f761d3481f5b73a074fed9fd11f53451

Download Submit
\Users\Admin\AppData\Local\Programs\RBXIDLE\vk_swiftshader.dll

Filesize
4.3MB

MD5
d748b67bbe5e511afd2107a51f857a32

SHA1
33b0b7ea20e112448c82f43fc52e39726a8a03e5

SHA256
bc965a0b30106263801249b156321dd1740117789f72f61329b61746c0f46c35

SHA512
53a1df01847366e3282f8920c1b71b135b940929c85e944c6b00ab557458ad1b3eeddff0e69f89592706e90a36189a44e5e9bff23fe0331dbaa8233d38e95536

Download Submit
\Users\Admin\AppData\Local\Programs\RBXIDLE\vulkan-1.dll

Filesize
715KB

MD5
6a05b161245180545849155b1cf63253

SHA1
db0393114078ff56c8fab49e2ed680324f4e31f3

SHA256
05c6d4aff774c0ee8190749a8cdc359ca294e0410a56666d14730f9456ff51e2

SHA512
0e4c8a15e55c274513f60f0e57da2dfea8c9fdcf47694bc7a4c0e29eb9a1d00d10f7e9493da7985dc352cc006e5244fc84c5a048e1d8a1f911757a41684fe257

Download Submit
\Users\Admin\AppData\Local\Temp\ace17ba8-3d3f-43d9-b3d0-3450cec56e32.tmp.node

Filesize
191KB

MD5
7ec7dd493ee9bc5ffc207d58eef582a6

SHA1
f00bb96ccff396eaf68b40745f43c130af96ed85

SHA256
4f0dfd414666f66c1d93191e0314f86c1ae9e68405486bfe89e473816ecc273c

SHA512
4b9d6a8a8e56f377802458a79b8d80131fbbc34aac6debfc8bef05cf346008448aed18571a8e837d359f72dde0283b27ef5de746988fc420b49789f3e4c989ac

Download Submit
\Users\Admin\AppData\Local\Temp\d1d63930-0a62-49ed-95f6-a7e5b767636e.tmp.node

Filesize
212KB

MD5
c2387a887c8665868269dc1ddb6d73b7

SHA1
a21ffa918e33972c77bd5d7d0801dae8e0da0b34

SHA256
4dc72530341ceb89eb249d04b9d914b7375ef45aa0cb9cc0640e45b69cf8cb2b

SHA512
ebbbaf2befd93c74693813c0de8846806d939bc1fbbbff94f20b85d019fa0194891859b8b2ea7e736320dc6b0a789ca443452ac22d8585243de17cd1c07c324c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90A.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90A.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90A.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90A.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90A.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC90A.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1516-1191-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1516-1190-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1720-841-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

Filesize
8KB

Download
memory/2792-918-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/2792-883-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2844-1181-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2844-1182-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/3832-1505-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/3832-1534-0x0000000002340000-0x000000000236A000-memory.dmp

Filesize
168KB

Download
memory/3832-1535-0x0000000002340000-0x000000000236A000-memory.dmp

Filesize
168KB

Download
memory/3832-1536-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/3832-1537-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/3832-1524-0x0000000002EA0000-0x0000000002EFC000-memory.dmp

Filesize
368KB

Download
memory/3832-1506-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/3832-1523-0x0000000002EA0000-0x0000000002EFC000-memory.dmp

Filesize
368KB

Download
memory/3832-1516-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/3832-1522-0x0000000002EA0000-0x0000000002EFC000-memory.dmp

Filesize
368KB

Download
memory/3832-1521-0x0000000002EA0000-0x0000000002EFC000-memory.dmp

Filesize
368KB

Download
memory/3832-1517-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/3848-1515-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/3848-1503-0x00000000028A0000-0x00000000028FC000-memory.dmp

Filesize
368KB

Download
memory/3848-1514-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/3848-1518-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/3848-1520-0x00000000028A0000-0x00000000028FC000-memory.dmp

Filesize
368KB

Download
memory/3848-1525-0x00000000028A0000-0x00000000028FC000-memory.dmp

Filesize
368KB

Download
memory/3848-1504-0x00000000028A0000-0x00000000028FC000-memory.dmp

Filesize
368KB

Download
memory/3848-1519-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/3848-1501-0x00000000028A0000-0x00000000028FC000-memory.dmp

Filesize
368KB

Download
memory/3848-1502-0x00000000028A0000-0x00000000028FC000-memory.dmp

Filesize
368KB

Download
memory/3848-1499-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/3848-1500-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/3848-1484-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/3848-1483-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download