6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3

Analysis

max time kernel
147s
max time network
167s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RBXIDLE.exe
Size

134.1MB
MD5

92d241ee2322192f628a7c0ca5c48f48
SHA1

60e19cb221c868c750601ecaf88309dcad32d886
SHA256

93d3e9ee4cca55a9287418e12eba8929bc471aa37ec213147f7bd8dc0896f98f
SHA512

8ff9dd69f699d7d538b12e03564a04d1f31aaabc00cf2895a33bd8edf6e7864f888dd065c74ea6de9376da96a44c566b1b59d328c6e7c9dbc91ff03cfee3e75c
SSDEEP

1572864:UUIbvHBgU0Tj91hRhmsMj9ZcZW0SUqDQ:UcUw+AGE

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
1860	powershell.exe
2052	powershell.exe
1240	powershell.exe
3000	powershell.exe
2392	powershell.exe
1956	powershell.exe
1032	powershell.exe
1936	powershell.exe
328	powershell.exe
1028	powershell.exe
1708	powershell.exe
1312	powershell.exe
2096	powershell.exe
1372	powershell.exe
3024	powershell.exe
2292	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	RBXIDLE.exe
2328	RBXIDLE.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2216	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
107	discord.com
108	discord.com
109	discord.com
110	discord.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB0F9461-A500-11EF-8B3A-FE6EB537C9A6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d066f0d20d39db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000274f2a0d381b883c8a5f17c5aa99f5a1afc13fe5a371001d3313d8292c35f76d000000000e8000000002000020000000b119bde118c3d991afd2330abee286f8b28dd2423437c238410ea1a3da3e35a690000000b72f633a39a1ac4e5a12de4ae8853e197cb79392a704e21713fd75f6806c962f86b1ea9bec85319c9cfd5dd9a56ba95df6926892f96b35091b2625416591a92e969b971d094926df9e76e1f8a19e06b837e01b542e8e7e7191ebbe822e122633197e46e4ded07a9b7bf36a83e294e7f3133ae0a042c7aa9c1baf1b69d3031b29a939d1331e72b96bb51a7db4c1349bba40000000133753eba36f94affd72396d17609d051c761ed4c2b4be326f6e01b02cfc12b2902a2819e985b08724d3d342fd085416a6add97ef742c66fb8975c0d0b0d2785	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438022781"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000004b9ecad65cd07aad57837053d73bf83da44e2352feeaf1c413f7189e1d3827f1000000000e8000000002000020000000646343579e38b08008c86159d8470e967540a88ab31474a4c8235998363c5d3820000000dd5bb9abc9f840e4a65f0fee711415e2f616e914239d9601c985ad47ab429805400000005e88bde8e26ebb29fdf78ea354c8f7348d8f25c55296f91b9eeabfb45d0ed92fd99d5ba8ad2c77daaa9d37912c246b64fdc47bcb048d0dcd30fcd3f15080e885	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RBXIDLE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RBXIDLE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RBXIDLE.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2532	RBXIDLE.exe
612	RBXIDLE.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
3024	powershell.exe
2292	powershell.exe
3000	powershell.exe
1956	powershell.exe
1372	powershell.exe
1032	powershell.exe
1312	powershell.exe
328	powershell.exe
1240	powershell.exe
2096	powershell.exe
1708	powershell.exe
1936	powershell.exe
1860	powershell.exe
2052	powershell.exe
2392	powershell.exe
1028	powershell.exe
2216	dxdiag.exe
2216	dxdiag.exe
2328	RBXIDLE.exe
2328	RBXIDLE.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeRestorePrivilege	2844	dxdiag.exe
Token: SeRestorePrivilege	2844	dxdiag.exe
Token: SeRestorePrivilege	2844	dxdiag.exe
Token: SeRestorePrivilege	2844	dxdiag.exe
Token: SeRestorePrivilege	2844	dxdiag.exe
Token: SeRestorePrivilege	2844	dxdiag.exe
Token: SeRestorePrivilege	2844	dxdiag.exe
Token: SeRestorePrivilege	2216	dxdiag.exe
Token: SeRestorePrivilege	2216	dxdiag.exe
Token: SeRestorePrivilege	2216	dxdiag.exe
Token: SeRestorePrivilege	2216	dxdiag.exe
Token: SeRestorePrivilege	2216	dxdiag.exe
Token: SeRestorePrivilege	2216	dxdiag.exe
Token: SeRestorePrivilege	2216	dxdiag.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2308	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2308	iexplore.exe
2308	iexplore.exe
468	IEXPLORE.EXE
468	IEXPLORE.EXE
2844	dxdiag.exe
468	IEXPLORE.EXE
468	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2132	2328	RBXIDLE.exe	31
PID 2328 wrote to memory of 2132	2328	RBXIDLE.exe	31
PID 2328 wrote to memory of 2132	2328	RBXIDLE.exe	31
PID 2132 wrote to memory of 2288	2132	cmd.exe	33
PID 2132 wrote to memory of 2288	2132	cmd.exe	33
PID 2132 wrote to memory of 2288	2132	cmd.exe	33
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2924	2328	RBXIDLE.exe	34
PID 2328 wrote to memory of 2532	2328	RBXIDLE.exe	35
PID 2328 wrote to memory of 2532	2328	RBXIDLE.exe	35
PID 2328 wrote to memory of 2532	2328	RBXIDLE.exe	35
PID 2328 wrote to memory of 612	2328	RBXIDLE.exe	36
PID 2328 wrote to memory of 612	2328	RBXIDLE.exe	36
PID 2328 wrote to memory of 612	2328	RBXIDLE.exe	36
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37
PID 2328 wrote to memory of 844	2328	RBXIDLE.exe	37

C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe
"C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2288
- C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe" --type=gpu-process --field-trial-handle=1044,18296163566992215369,14033779383697318964,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1052 /prefetch:2
  2⤵
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1044,18296163566992215369,14033779383697318964,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --mojo-platform-channel-handle=1324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1044,18296163566992215369,14033779383697318964,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1140 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:612
- C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --field-trial-handle=1044,18296163566992215369,14033779383697318964,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\14deaab1d6561061580b2ccc1ad8aef1\execute.bat'" -WindowStyle hidden -Verb runAs"
  2⤵
  - Hide Artifacts: Hidden Window
  PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\14deaab1d6561061580b2ccc1ad8aef1\execute.bat'" -WindowStyle hidden -Verb runAs
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\14deaab1d6561061580b2ccc1ad8aef1\execute.bat"
      4⤵
      PID:2868
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass Add-MPPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RBXIDLE.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass Add-MPPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\RBXIDLE
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "explorer https://discord.gg/XB94k6SxWN"
  2⤵
  PID:2120
- - C:\Windows\explorer.exe
    explorer https://discord.gg/XB94k6SxWN
    3⤵
    PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\14deaab1d6561061580b2ccc1ad8aef1""
  2⤵
  PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml"
  2⤵
  PID:2880
- - C:\Windows\system32\dxdiag.exe
    dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\dxdiag.exe
      "C:\Windows\SysWOW64\dxdiag.exe" /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml"
  2⤵
  PID:1920
- - C:\Windows\system32\dxdiag.exe
    dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\dxdiag.exe
      "C:\Windows\SysWOW64\dxdiag.exe" /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:616
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/XB94k6SxWN
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2308
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6

Filesize
530B

MD5
5e275db761aa5a23ac651af8f6c4a000

SHA1
583fe93323b8fee3be1469f2d1bfc16a091ebc70

SHA256
3b9b2f75b724fe5354d24a0ef729b8a2aaa8a9313166eafb1f73b07cf1a745ef

SHA512
892fd01ee561591cee4d00ae4cd3cc91a07587c097d6969f8392af87582f93c259c52dae17d161e22ba12bf47b0d4d9953cddcb7df91a4a0e4de1a9873c936ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
5b481c413e1ce4004df1d10c69e37e7d

SHA1
e04aa72dd729ea1a255ecdc67fe7279c6f6b4220

SHA256
3661b568477ecb4a8293dee69c6f354a71209aade99381411929da533f03d64e

SHA512
520d7bc8966a729d4c31ce41b0b198a13264ade1ae800ec26123f049d59b110a5c1fc84bb0013d2a4003707e75459a3fb12289cc76458543531e4d0700b4c756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26f1f037c9ec3fbc9e1fe936def1cd1c

SHA1
23f1db19bd65a86604189f19ac6e3698ca28e381

SHA256
6d01d7da0acfeb28ebda846afaeb6267d7ecfbe48735e75ec0025c13fabbe6bc

SHA512
ded0019d51017bbdf09ab81387e23761cf138bf9eb98a0099da24ba2e44c55fcd1a6a8979b7f97a48f0680e4db0d5e3c7c98dd299832dbd01fee03e8f95b8566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0110283549e99b2a87b14b068c8b9a1

SHA1
ed147b9e73ea14607c01d8bba9ce211a5eaf6520

SHA256
707580d6e50f7feac1c3735414c7a0e5f52f8dcca42405f721cad7d2682c3d91

SHA512
1cb37374c1fdf2ceb7da075d054e71bece1f443de9aba8956371f2a7c1164342853c43fe1a8bba254bac2f4562195a3e6297b3a8153da7cae95ba419b451d73f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
610fd0560c053009355884cfc3930974

SHA1
1ef188f2ef2ea8a78ef62fde5a768bc406eb08b0

SHA256
e82b42450d1d9c2356ec414a912c847c687a545122fbef30462545a134bc9d3b

SHA512
872401c30f4238903b64964c6f40c2c33eb201f2c79e1762d8d0c9f8042c0637259a72adf0eb5dde7fefb5b1f95d2d566ae37609c60036a16462d1955035eed2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b7feca02cfc8d2b4deacad667ee98a0

SHA1
301a1ef0f923304929570ebb0a258f8adeef91d9

SHA256
1501775655fe48209588ff4df697ca714460304f3c6613eb4ec7c7e9cbde711c

SHA512
c92c1329c34f4a9ffd4113f80f580c17975dfaf523e4b14e5b9109525ed2f63c0b6db7b4185a5fb119096fece362bddad656edaacdae64080abb9180e39076b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a776a0b6cf10288ebd6e0336bd793a1b

SHA1
b16aedfd919bb4a2c463ae173d964cd745a4d6e5

SHA256
31b59c7d9dbdf6f39a4de3b5da33b1f0ed828911b94d238ec0603e5434ede9df

SHA512
b4a584349af5c8cf780aa2463adefd60d2ae28855f260e4124d31d4f686fa6e552aaabcd7a89111ed1be8168ec8d0612c0ed1c87c2dda476c4692a4d6b35561f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e7a6bef626058d78e0dbdaa23d29ef4

SHA1
8dcb85154943fa788b6966213701de0feedf2989

SHA256
b1e541b621a2321c3cf739813768d19cc938fe52d4c18a26aff4940d3199bcac

SHA512
13a3c585e01e2cb7cedada09fa8b567293336d476c5a3123fa3dd416ae7433c0385ce442055b85b21efe8788157990b38ae5ec180591814284730e536a59d915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
960fd12dafba0e6fa20be14460d1d0ae

SHA1
b49e222cdb3deafa2890a839d7c8e85a63680406

SHA256
a7e4c083c1158566f5806258a27a88a8474c5858179a341288f390dca793e588

SHA512
45ca186c341ba0100a6c201ac18df7d0c7bf47f7510c279b6406f27970ac3767a2f62965dad0c1718e98bae5bdbdab335f555cb674fce0d98576a8ecc15c7aac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e876d503408ba1fe1c524689bda0ada

SHA1
b0f23b83c35dfcfe597732ac7d7eb3138af07949

SHA256
cfb706c66b99a179b2f5bc98418b6f16b8c2597bf8d678922599034cc164ef22

SHA512
9b9d07513491f4713c50e9a71dd68011dfefc1fec2e2e1e4389210f36c6e1d43fb4ed9f567581170717b0fd96e1001e36ec25b904a4dcaca1018d0c4947da394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c19300ea64dd457c149d7636d0a0b27

SHA1
70e0f517e43cdf50708768612103630ec084486c

SHA256
67a150d5c2fbd52d151355157140114c7002444f6eb170fe85a2aa0322b3b37b

SHA512
c96133b5cc58a800f5530e0feb910e77cee7bf702e6562357ead785e3cfb38e0fe15f6687348a968279cbfade4726a6d235bd084df873041c28322fbb5ce0fda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13492ef58dab18b591effc2369d2c486

SHA1
b30d8cf94f9b35aaffcd7a4105f4ceddbb5d4476

SHA256
f018013c94c5d9f8584c7a0de7095750f79686552c5f9b32670d5f116088ed79

SHA512
cb9d934197678223429b2c9bb752659ca0c50f29b7b881ab41208dec96286b8f9d1b7dc277f914d0bc92939776b0da6e3f9c751c8da1c4dc14b0bfa4e7038780

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85e5e2b7beec6e23f00738779ed933b6

SHA1
2ed94cc06716ed86d7f1294b4952872941aff79a

SHA256
246ad9f5ff9003a4b53bdf91bce22ea6484079ad0b27f31e009b3ec9c6006c5f

SHA512
fc114a137aa035327c5367dd056ccd17fc1f194d3e4ac51ec58f0fb34189b9a4da41be18b0f213336a55742cc4b367666c180cb68bb5e79af055d5376606514f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
873ed0306f15766f030671312d5bc040

SHA1
df8dfe7ac9f4c2cd226adae12a14098c42a198c3

SHA256
94cf7785db434a2d821372582ceafca90c83003b36dd1b911d1acb7263d65546

SHA512
01dd3a6aaa1971d1300dfe124a8c89fce870bcb2568b1f41305cfe377f8abdbab6d5e7104a359b8e07dc858bc531486721a665858db5729492e1463ba708201d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13d53edd37c14c42333cc0d45e093f7c

SHA1
f0358be4f4ba8f771ca6b9b44bbacbe342132215

SHA256
800d551e8c314b0bf141ff65c5a28a11ef303dff8f118561c1f2e7893cbb11d8

SHA512
27984d11c956ed5a3976dfbe6fd38a9de0e3497c72ea82fbf43d3942b763f2f1c3bed4f59d3c4c5aecbd06bd9f64c0f3a5600da5862619f733f5a1f1605255cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
446e0f2471efe19ab75652e31e49ee4a

SHA1
487933c268d239763420b560eaed7c25cb01aef2

SHA256
78066f8744347ca9f2f9935647a824fb93093d615975533da9c108de8a4581d2

SHA512
77ab3e0871708730f56390c39716c1b2a3f34360e1b4eea9bfe69e9fa3e91dae2f4a9ce0a0342416d52d74aa56c207217eed627f2911515c6eccd5c5ee08f3a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff9c294c8a9ce6c796dccf4c9815014f

SHA1
843cb8b38f3b634da1ea656192aebc764158e1ed

SHA256
5ed257279b116124080bb9291c81a585d5ee8e764e2906056b7d82ef5141c235

SHA512
736fac47c57a42b622d0ca8006a517ad1fe979759ed29febe84c1f1d6540bc642d6fad11c152d0f6890375c018842e858403f41cad65fa19e8d5eee533ecf6e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cb421642aa6ca336d04824d07701ab7

SHA1
77fb7cbaa450d1bfd050c6561cf845ddd65eb43c

SHA256
2de510b8998cb7f1ae3be689c51831611a0f40c4b30d37f35017b6a82bdf537e

SHA512
34f1ec1ed2a13338a59465e17028ec28a08b3676278196d248ed40c9c3f2168f416c3aa67ab04df7bf8219814bb442eab4f4a08ed43955b8cf0b663d3d1529fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3343a6c559f561d567a1001d317454c2

SHA1
bcdd0c8f92cc04ef5df91f337a93e9cd37e3a838

SHA256
8477552357bdc5ad3ef9de932fec6bb27a2336092e051b320ef8c44fe97ef1fd

SHA512
3b6082e4609b3bdedef64a3554d1d3ba402e938fe6b9eabcc0a8669717dce724aa40fe111afd6ecc904ee35ac13dbd5106202b953b02aec6dc9107b6e691ae50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a961422271c2175571fc10840ee26792

SHA1
c08f439761f1ee8cc66f9233a3c11d96bd1eadf2

SHA256
6ba1faf864df61d4a92675026acf66cb77719801ec8ff578f99c9e0862192aae

SHA512
93ebb484ad071efd2a1ae8481e852177442c0b6591062b95c14577f06d87f999472f7f214efb04cf434c81911131c6005f1de6d7707ef21f5203218c1274cb79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd41ba074aa9d55095efc9106b243542

SHA1
924d2c7f5cba057975922a583722329add0975ed

SHA256
7f4e9a7c0b7ce1b02a2d21deb295bedf60f73e7bcc0b333e30e7ec1baf7be848

SHA512
848d672bfb3e03947bc149590e8d6bb5accef028452de20377c015f68907bf843801a50614623170ab17da68bd613f43444f39cfa1ddd0483b0dc39188e654b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e705bffe0ed5f052975d4f5869bc468

SHA1
5414be2cb5f4b400284457c97bfff18884b343a8

SHA256
70dd2d8e0d6338227fbe0ece2a2007ea6f35be2b0e9234f909fa74499003cdae

SHA512
e02861819f8a36573e6940c02eb3cb23a43c6605f2f6e4f3629c25dc84d74dac730049de49cf7f7336cb07bf2bee7c26efd6223090e73e50dd37610750bc031f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdab5b437a5b93ab2c91b09030432685

SHA1
47a010447893d57a995e777c93a93a3ef1ba54ab

SHA256
f21aceca02c0bce637e5f962155d3bcddad2ce4a1ef69205fcf67492e850d71f

SHA512
58c91e7e52f6de71b512ef7e3f19c852bf4237d55cd0e76d7de27b69b8b3e7f9e18588b89e8c5356de5a44423d0596131aacc2d7dc641a00c84a668ddccc4f6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94ac85fbd36f97b9018ecabecef3dc5e

SHA1
713d339b31be107ef0205c798f059c84fdb39f20

SHA256
1bd07d4a4907e866eabaae43c9348b3ab97699c67949eca9c600edfd594d4289

SHA512
427e287180c1c419f31ff93d3535791a33e1033912665427cc20155197fada18b0dcb225eb7fca92ae728c8edfe19434abbab5684285e99e507cb8450d87676b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c90d64f927df2d1e68047d5089f4c02

SHA1
b7716dabd2f33a221b1a523ad11861f5cd99ccba

SHA256
cb61e47b2a62f79aef2edb5e2595e0f3e8e7cebb400ecc798b87fc5832a769c9

SHA512
0c56378470cd8482bac63aefc34706d6e9cfe441759ea8985096d76730a511c4898d02ff5ad57c047e538b3f1aa8b4be0e95a68089772f08d91f389a8bff77c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f98384463f7cd0369fb32e87b40e5e47

SHA1
02bd0d3e352a78a6c90f447202852cf184304867

SHA256
cac81823a9504c25a909de778ffce368a83c0eddf88476b40debbbf0ac2549f7

SHA512
044fceaed33dcc5a1eeba0d546f328393a85bb7ca07fd7a044d9de25a7382ac776410e679bb42e43269e467077172695b1eb1f21e59dbef0a98368b41e52d091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fd35560840771aa99bc02227c595740

SHA1
8dbd3cea7d04762ee1a228d66ada0de06f7833fc

SHA256
7739ff33056e979dcf2b9ec89a6b10465d6daf47050223580ecf387e8cdbebfb

SHA512
1d89ef041d84495e147b8485dd665a0a2802c354f014097d4b6d189ebd6273151076684c3375cff6b84fef84aa75261f5f50cab0c7bae4e9502f231f9112fa87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7c55e14a67eb56ea1baf023c922d017

SHA1
4498e259f24bb5defac0d29d200346e72d4b5003

SHA256
0af6ed107ab7e6a61aecb17d38a2371d57aa333927df34ebd0a0279cbd9ea017

SHA512
a97dcee9281b82210fb1a49ae1a2d8d8deed5297ada0213cceca805a3f4a717df2458f5e75531f50a69a6c7f649043fccb8c6afedf955d51c95cbb71034b2b89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ff092240d86de2421bb90196fcc9fcf

SHA1
02aae37b0f20d90f02291a40569a5ff06d94d696

SHA256
9475765bd69656e6b3acc5bb60d37ec0c4352b0d045a2cf868d757f820bc12f1

SHA512
3632571c41b098b7b0b145deac6ece8a18b1061e09a88f6453cd312c0780d408310015f861e965db661baf246eaa919fefbda93a1a15f0592cd8e6f65e862519

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6

Filesize
222B

MD5
e142d0d1984ecd3be7649029efddb466

SHA1
f03ad9e0b78910686633ce48cb5ce8f3ec325a70

SHA256
ebcae8df6f9328c0093cfb22266fbd6958f78ad857d7b33c92110607c3f7f723

SHA512
870d3cccdbe8461bc34e1e47ceec0c1cf812ceb7be7ca0a22a7c0b3ee4a9fee1ab9b6ca3d007c813f0b1fa90ca861bae5330a038ffcba695ae57765999fec16d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f6206b9fa47a9ea00b33b22ae8a9dec5

SHA1
e6f783bc90b0990e0baa8232e5ee3d3665004faa

SHA256
080b24e4ea74661ab84608695702f336b6a217d02ed19a649aef5d344f615bfc

SHA512
845cca63026cb974f7dda0edc845fd3324b9fe1b49d31e22e9239fde4d52260e1c214a03ed69cd5e1751b5a6d27732ddeaf758f6ea460e4d0fce3e509af47cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
24KB

MD5
2564d5e1ba1b305093bd2ff3ff7c36a3

SHA1
e256744a6d73b036c3b6a6a0be3f499c1184d332

SHA256
f80bc49e56c6bc7fc51f824c7ea3a817d93eec97dc870d29718e57ed45603c89

SHA512
7a88c3f6466460ca7caa92f61f8198b79c16622f3866ad3621ef01cd11e9bb489db0c93232aa41ae6eac4c2f64c13a8b0dcf8eb710cf34494e8d9eb501e8ec3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14deaab1d6561061580b2ccc1ad8aef1\command.bat

Filesize
298B

MD5
3d81ad1ad673a10c27c19ff119e7484d

SHA1
42de481417591da721cdbefe42877a37182e329a

SHA256
61e60c609fdebbe73e00ff2b7d0e7a4977fb7cc88b78080e6db61cf8e9a573e8

SHA512
954dbd9dcbabd36afe7d15d863df6a951f42a30d2e0f74d7076962a030e33d90399ab06330f697220ac9407a2667d87aa020e5e89744cc0ff76934f6dbf3ff1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\14deaab1d6561061580b2ccc1ad8aef1\execute.bat

Filesize
352B

MD5
93eb17178ed25c31365e0a60b0681ede

SHA1
24bbf2236a8f3c75d6b4e129681bcaebc3a02f54

SHA256
017c1a215d8ef41607f846926ac7d12e7d6966d3c321a2003c27451b38f1407a

SHA512
59ac6df803bc4b17a8525cbb207018d41466c01a5f1fdfaf395754073cbd975d3062d98152bb86a07c67c017c38f284fa8f66582a3bf5dba7a46bf485e720537

Download Submit
C:\Users\Admin\AppData\Local\Temp\14deaab1d6561061580b2ccc1ad8aef1\status

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\14deaab1d6561061580b2ccc1ad8aef1\stderr

Filesize
996B

MD5
b88b85b5e8c5e1e94279583915d5bc12

SHA1
170c20d286f4e2d8376da004d028c858812d0239

SHA256
f86cba315472f7d61ff5491e0e71355faa09ec855338e2a444ef2958e0d6ba66

SHA512
1f1884d0077da474e074062972927667b2eb42123ae3f944a79cad1ab1a367ac1ad7b5a34a9880c844b68b553f4348ae7f2de90e6f19c5a479873bca530508e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FF8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4002.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\62e9f25f-9345-4327-b4a6-c6900f842917.tmp

Filesize
689B

MD5
2cbad44e04b362cb252e8c40ced29cbd

SHA1
0688e059af6fbbeabd1053bbe10b9e8ccbb6de0f

SHA256
d2769904694e31e2e63e06259ee78a558be8ca533534fad03536dc092c257f97

SHA512
17168f842b94e078175fe09d97eca34e2e2c61d8346d52dd7c32259948c9e0bae64f2c7bc375611d8256f2df6fae5767efd468ec327ebfd950b5ff872ca74ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4d8158c0a499ba0c77bbceb8a70d0908

SHA1
ffa4deecc0a71ae12b2cb073acd141266fb47290

SHA256
687a9264a3c2c68bc24435936891328a3b8ca867f53247a0567ca3e2d88d4050

SHA512
e6572b4969745ab646a437f2ced4e493da36badc0fb08cf44a93621925a7598bf2b976aebaeaffbe38358742bfdfca4f4c48fae73a57437e9cbb4812f9a26862

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
5994bb70c68a2497eaa70fceebe4f2b0

SHA1
e0bdd10a00b3d695f6cc61d459a1ecb76b94d101

SHA256
d8006c4d956ad56534cdde657eff3c03af1fe6d049605360db886a2d2f9fdd46

SHA512
6086f2c5de860feaf177e6701de553a1dacf5472e52dfffba176367fcc32b8d8d6fb681bb76a8f27a17fc315e705e81eac160076d949975e392be73de961e0e5

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Dictionaries\en-US-9-0.bdic

Filesize
441KB

MD5
a78ad14e77147e7de3647e61964c0335

SHA1
cecc3dd41f4cea0192b24300c71e1911bd4fce45

SHA256
0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa

SHA512
dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
dfeea452b53c1017d080221df9353da9

SHA1
0fed14368a6e2521c316ac00cf83601e2d77d8d8

SHA256
bbffb6cc6733feba984df456ce7f4253b12c7899a74e828da5b05961f99df8d2

SHA512
7f4876705af384cb631756b776ddc1453b5d99ffd5e29bbaccd7f95d82206eb247064aea925564cdfd0636e1c86fd06aa9684057aff5345d90c590e6908214d3

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml

Filesize
36KB

MD5
f8a9f8ebdf513ef17590df9f0f9beb18

SHA1
e6a1911e0ffae52da3c652fc32d8a53df14efc70

SHA256
b33cf8e063c4f7ac6634e526c6d03910733bee14591e5725213f497d1e5abd0d

SHA512
3d5c9f5c9bcf62eda2b82e03d89f6c5fc34a20f9942eb2039334c8605dffbe83f6b18507d380b3f66808fedbfee11def97d05f406a8c1151f7f0b7cafdd8dfb8

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\settings.json

Filesize
347B

MD5
7dbd2d12bb65c1d54c2367d1616aac57

SHA1
558ded471e0e433a92de8649576c8400ac43d0ba

SHA256
a071a4a5772d293f9ee1d3bad478b154723463e93ba35c815fd978ffc21ab8a0

SHA512
f9b2a430a78e287ed9b95c867bc1090626498217af78f7ec4c41dead72ce1982931eb746c265c2a6fe03b292f12d165cde6b021733d0a008b6f102b458aba727

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\settings.json

Filesize
348B

MD5
cd2b508ef6edb0f264d20805676ea14b

SHA1
28f6170b358fcb2e54064323275513e66ec4041a

SHA256
d806d614cba48710bd96afd4087cacfdcf13c4a75d3d61c18eb62f448318c4c4

SHA512
181b6de29495dcfdfd8626225dd6451771ba8a96bafbb69b9ac9ad440fda34f7af795ccb3bd4de6255b0859964740bbab8893b6576321a353cb78b6b52670f62

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\ac5f7629-85f7-4df4-a5a3-a787e30d2b49.tmp

Filesize
527B

MD5
e5d44e193fd1226b192c484ab756c2c6

SHA1
a7b404eb3acac0c5ec34ab1d154187ecce990e39

SHA256
3cf3338e6bd23ed38f6a470ffdc0df69604f0334a7291ad24d1470108e355717

SHA512
baf11c150608f2e1ef1993b28ae68d87157a496b99c7cdab5785de69796951e90fcacc20d7c02d8f0b00b014c79d74c00bb222b4ba7b1e9bee2b124ad6046730

Download Submit
\Users\Admin\AppData\Local\Temp\0a88050e-70ab-4cb5-a1ea-c7f29e80e630.tmp.node

Filesize
212KB

MD5
c2387a887c8665868269dc1ddb6d73b7

SHA1
a21ffa918e33972c77bd5d7d0801dae8e0da0b34

SHA256
4dc72530341ceb89eb249d04b9d914b7375ef45aa0cb9cc0640e45b69cf8cb2b

SHA512
ebbbaf2befd93c74693813c0de8846806d939bc1fbbbff94f20b85d019fa0194891859b8b2ea7e736320dc6b0a789ca443452ac22d8585243de17cd1c07c324c

Download Submit
\Users\Admin\AppData\Local\Temp\101953eb-2f57-496a-9983-58c0057e45e5.tmp.node

Filesize
191KB

MD5
7ec7dd493ee9bc5ffc207d58eef582a6

SHA1
f00bb96ccff396eaf68b40745f43c130af96ed85

SHA256
4f0dfd414666f66c1d93191e0314f86c1ae9e68405486bfe89e473816ecc273c

SHA512
4b9d6a8a8e56f377802458a79b8d80131fbbc34aac6debfc8bef05cf346008448aed18571a8e837d359f72dde0283b27ef5de746988fc420b49789f3e4c989ac

Download Submit
memory/2216-732-0x0000000002490000-0x00000000024EC000-memory.dmp

Filesize
368KB

Download
memory/2216-728-0x0000000002490000-0x00000000024EC000-memory.dmp

Filesize
368KB

Download
memory/2216-711-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2216-796-0x0000000001D40000-0x0000000001D6A000-memory.dmp

Filesize
168KB

Download
memory/2216-795-0x0000000001D40000-0x0000000001D6A000-memory.dmp

Filesize
168KB

Download
memory/2216-794-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2216-793-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2216-710-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2216-727-0x0000000002490000-0x00000000024EC000-memory.dmp

Filesize
368KB

Download
memory/2216-733-0x0000000002490000-0x00000000024EC000-memory.dmp

Filesize
368KB

Download
memory/2216-724-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2216-725-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2784-238-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2784-239-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2844-688-0x0000000001CC0000-0x0000000001CCA000-memory.dmp

Filesize
40KB

Download
memory/2844-704-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/2844-722-0x0000000001CC0000-0x0000000001CCA000-memory.dmp

Filesize
40KB

Download
memory/2844-723-0x0000000001CC0000-0x0000000001CCA000-memory.dmp

Filesize
40KB

Download
memory/2844-726-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/2844-730-0x0000000002470000-0x00000000024CC000-memory.dmp

Filesize
368KB

Download
memory/2844-687-0x0000000001CC0000-0x0000000001CCA000-memory.dmp

Filesize
40KB

Download
memory/2844-708-0x0000000002470000-0x00000000024CC000-memory.dmp

Filesize
368KB

Download
memory/2844-709-0x0000000002470000-0x00000000024CC000-memory.dmp

Filesize
368KB

Download
memory/2844-706-0x0000000002470000-0x00000000024CC000-memory.dmp

Filesize
368KB

Download
memory/2844-707-0x0000000002470000-0x00000000024CC000-memory.dmp

Filesize
368KB

Download
memory/2844-729-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/2844-742-0x0000000001CC0000-0x0000000001CC5000-memory.dmp

Filesize
20KB

Download
memory/2844-731-0x0000000002470000-0x00000000024CC000-memory.dmp

Filesize
368KB

Download
memory/2844-705-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/2924-42-0x0000000077070000-0x0000000077071000-memory.dmp

Filesize
4KB

Download
memory/2924-10-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3024-247-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/3024-248-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download