6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RBXIDLE.Setup.3.0.0.exe
Size

144.1MB
MD5

f7cd23293d037af068d7b4552f8bcee3
SHA1

32485a4bb72cb1646a3028836378015cbcde2180
SHA256

6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3
SHA512

f31091dd3f6c86e39fd861e35a5213ce9fcec676a8e7f33abb71fb8c48a5ca648127bf07ecfe249aaa9e039281689b789407340f4c7476a6f1bfb721b63978aa
SSDEEP

3145728:JPFNsCo0L7fiLGL5n6PT6Lr0UOkyJQweGopgu9CzxxNEQFSvyrzkfC0T6:1FN4SUu0UOkyJQp7pH9krNQvYgfw

Score

8^/10

defense_evasion discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1176	powershell.exe
4656	powershell.exe
4500	powershell.exe
4244	powershell.exe
4792	powershell.exe
2700	powershell.exe
2224	powershell.exe
768	powershell.exe
1324	powershell.exe
4452	powershell.exe
800	powershell.exe
3504	powershell.exe
516	powershell.exe
3732	powershell.exe
3664	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3284	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
98	discord.com
100	discord.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RBXIDLE.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 5 IoCs

pid	Process
3480	RBXIDLE.exe
4292	RBXIDLE.exe
2620	RBXIDLE.exe
1292	RBXIDLE.exe
4820	RBXIDLE.exe

Loads dropped DLL 21 IoCs

pid	Process
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
3480	RBXIDLE.exe
3480	RBXIDLE.exe
3480	RBXIDLE.exe
4292	RBXIDLE.exe
4292	RBXIDLE.exe
4292	RBXIDLE.exe
4292	RBXIDLE.exe
4292	RBXIDLE.exe
4292	RBXIDLE.exe
2620	RBXIDLE.exe
1292	RBXIDLE.exe
4820	RBXIDLE.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RBXIDLE.Setup.3.0.0.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dxdiag.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{48DC7497-1314-4EEB-A50B-32837CF0457A}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{A84E3097-AF14-4657-A6AC-83797E6C4DD5}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	RBXIDLE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	RBXIDLE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	RBXIDLE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	RBXIDLE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RBXIDLE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2924	RBXIDLE.Setup.3.0.0.exe
2620	RBXIDLE.exe
2620	RBXIDLE.exe
1292	RBXIDLE.exe
1292	RBXIDLE.exe
1176	powershell.exe
1176	powershell.exe
1176	powershell.exe
4656	powershell.exe
4656	powershell.exe
2224	powershell.exe
2224	powershell.exe
3732	powershell.exe
3732	powershell.exe
4500	powershell.exe
4500	powershell.exe
768	powershell.exe
768	powershell.exe
2700	powershell.exe
2700	powershell.exe
1324	powershell.exe
1324	powershell.exe
800	powershell.exe
800	powershell.exe
3664	powershell.exe
3664	powershell.exe
4452	powershell.exe
4452	powershell.exe
3504	powershell.exe
516	powershell.exe
3504	powershell.exe
516	powershell.exe
4792	powershell.exe
4792	powershell.exe
4244	powershell.exe
4244	powershell.exe
4656	powershell.exe
4656	powershell.exe
3664	powershell.exe
3732	powershell.exe
2224	powershell.exe
4500	powershell.exe
768	powershell.exe
800	powershell.exe
1324	powershell.exe
516	powershell.exe
4244	powershell.exe
4792	powershell.exe
4452	powershell.exe
2700	powershell.exe
3504	powershell.exe
6544	msedge.exe
6544	msedge.exe
5656	msedge.exe
5656	msedge.exe
3368	msedge.exe
3368	msedge.exe
6468	dxdiag.exe
6468	dxdiag.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2924	RBXIDLE.Setup.3.0.0.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeIncreaseQuotaPrivilege	2224	powershell.exe
Token: SeSecurityPrivilege	2224	powershell.exe
Token: SeTakeOwnershipPrivilege	2224	powershell.exe
Token: SeLoadDriverPrivilege	2224	powershell.exe
Token: SeSystemProfilePrivilege	2224	powershell.exe
Token: SeSystemtimePrivilege	2224	powershell.exe
Token: SeProfSingleProcessPrivilege	2224	powershell.exe
Token: SeIncBasePriorityPrivilege	2224	powershell.exe
Token: SeCreatePagefilePrivilege	2224	powershell.exe
Token: SeBackupPrivilege	2224	powershell.exe
Token: SeRestorePrivilege	2224	powershell.exe
Token: SeShutdownPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeSystemEnvironmentPrivilege	2224	powershell.exe
Token: SeRemoteShutdownPrivilege	2224	powershell.exe
Token: SeUndockPrivilege	2224	powershell.exe
Token: SeManageVolumePrivilege	2224	powershell.exe
Token: 33	2224	powershell.exe
Token: 34	2224	powershell.exe
Token: 35	2224	powershell.exe
Token: 36	2224	powershell.exe
Token: SeIncreaseQuotaPrivilege	3732	powershell.exe
Token: SeSecurityPrivilege	3732	powershell.exe
Token: SeTakeOwnershipPrivilege	3732	powershell.exe
Token: SeLoadDriverPrivilege	3732	powershell.exe
Token: SeSystemProfilePrivilege	3732	powershell.exe
Token: SeSystemtimePrivilege	3732	powershell.exe
Token: SeProfSingleProcessPrivilege	3732	powershell.exe
Token: SeIncBasePriorityPrivilege	3732	powershell.exe
Token: SeCreatePagefilePrivilege	3732	powershell.exe
Token: SeBackupPrivilege	3732	powershell.exe
Token: SeRestorePrivilege	3732	powershell.exe
Token: SeShutdownPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeSystemEnvironmentPrivilege	3732	powershell.exe
Token: SeRemoteShutdownPrivilege	3732	powershell.exe
Token: SeUndockPrivilege	3732	powershell.exe
Token: SeManageVolumePrivilege	3732	powershell.exe
Token: 33	3732	powershell.exe
Token: 34	3732	powershell.exe
Token: 35	3732	powershell.exe
Token: 36	3732	powershell.exe
Token: SeIncreaseQuotaPrivilege	768	powershell.exe
Token: SeSecurityPrivilege	768	powershell.exe
Token: SeTakeOwnershipPrivilege	768	powershell.exe
Token: SeLoadDriverPrivilege	768	powershell.exe
Token: SeSystemProfilePrivilege	768	powershell.exe
Token: SeSystemtimePrivilege	768	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe
5656	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3480	RBXIDLE.exe
4292	RBXIDLE.exe
2620	RBXIDLE.exe
1292	RBXIDLE.exe
6204	dxdiag.exe
6468	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 368	3480	RBXIDLE.exe	95
PID 3480 wrote to memory of 368	3480	RBXIDLE.exe	95
PID 368 wrote to memory of 2656	368	cmd.exe	97
PID 368 wrote to memory of 2656	368	cmd.exe	97
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 4292	3480	RBXIDLE.exe	98
PID 3480 wrote to memory of 2620	3480	RBXIDLE.exe	100
PID 3480 wrote to memory of 2620	3480	RBXIDLE.exe	100
PID 3480 wrote to memory of 1292	3480	RBXIDLE.exe	101
PID 3480 wrote to memory of 1292	3480	RBXIDLE.exe	101
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105
PID 3480 wrote to memory of 4820	3480	RBXIDLE.exe	105

C:\Users\Admin\AppData\Local\Temp\RBXIDLE.Setup.3.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\RBXIDLE.Setup.3.0.0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
"C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2656
- C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe" --type=gpu-process --field-trial-handle=1672,8786671343154987098,14790130731393933691,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1680 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4292
- C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,8786671343154987098,14790130731393933691,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2620
- C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --app-path="C:\Users\Admin\AppData\Local\Programs\RBXIDLE\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1672,8786671343154987098,14790130731393933691,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1292
- C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe
  "C:\Users\Admin\AppData\Local\Programs\RBXIDLE\RBXIDLE.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RBXIDLE" --app-path="C:\Users\Admin\AppData\Local\Programs\RBXIDLE\resources\app.asar" --enable-sandbox --field-trial-handle=1672,8786671343154987098,14790130731393933691,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\de2f6bb9a0341b441096fd153cc4e197\execute.bat'" -WindowStyle hidden -Verb runAs"
  2⤵
  - Hide Artifacts: Hidden Window
  PID:3284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\de2f6bb9a0341b441096fd153cc4e197\execute.bat'" -WindowStyle hidden -Verb runAs
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\de2f6bb9a0341b441096fd153cc4e197\execute.bat"
      4⤵
      PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "explorer https://discord.gg/XB94k6SxWN"
  2⤵
  PID:4940
- - C:\Windows\explorer.exe
    explorer https://discord.gg/XB94k6SxWN
    3⤵
    PID:5472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\de2f6bb9a0341b441096fd153cc4e197""
  2⤵
  PID:5424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml"
  2⤵
  PID:4140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3664
- - C:\Windows\system32\dxdiag.exe
    dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:6204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml"
  2⤵
  PID:5660
- - C:\Windows\system32\dxdiag.exe
    dxdiag /x C:\Users\Admin\AppData\Roaming\RBXIDLE\dx.xml
    3⤵
    - Drops file in System32 directory
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/XB94k6SxWN
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff818c046f8,0x7ff818c04708,0x7ff818c04718
    3⤵
    PID:6152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:6536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
    3⤵
    PID:6556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:6704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:6712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
    3⤵
    PID:2636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5072 /prefetch:8
    3⤵
    PID:5160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5132 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
    3⤵
    PID:5880
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
    3⤵
    PID:6028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
    3⤵
    PID:1100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:6404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,12104895023324587025,1379855934750699199,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 /prefetch:2
    3⤵
    PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
7b1b8a08f1197a751d92eb3d7bfd3e85

SHA1
a3813481b779c66b45903543b1e4d25cdb24c158

SHA256
2dea9712996aa769864a18c1ed76b9b2c10b3462d42d1243ff8a4527fbd2b6b0

SHA512
6962307254da370a9a9cb0aab3c50eef6de3d2321fc04581ca92a7b1fbc4f028cdd8c8e8f1101a98aff7df57acdf05383dbbd2d6780e9a09030233c6dfeb8bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
323B

MD5
a5a1149047729a493b1a2a65063c39ba

SHA1
8f1f45cb0c0772dcd05795734cbf408636fb9fb9

SHA256
e0ef1f906ea2606c802310437fe799d93e073770ab6549060ee4b9c9c49f2006

SHA512
8ce257a087115e2d542657a2b4679d0c100ebdec76e3392cff1bbba133e129f2fcdbd73f9baab92e762bef47a2572d3dc8553fa3858d787d2a0b2bf8f05dc54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da3400c716b0229c06b260b10fe24845

SHA1
3735a5a0426aa2f3cbc6dc7668438f37507e3ea1

SHA256
1951705dae9c8fef051bfb29f0c8370c77f68ce263daae7e62c076141fb4f9d2

SHA512
3d8d0224f80d6a4ce6db661fb09570bf1c9fae6676103a3d3d123c1263d072e2d169a629505a1c70155466f3a94e7bf904abb7ab673cbfb662f996698cca6f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ebd9394a67312e7636c3998ba6d7614

SHA1
2c28728bd5b727f0a3c8a14627120a1bf016777c

SHA256
c24597131f5e9bf4c97270d0a787a41bf91836ea696375994e453526282023ee

SHA512
6db55cee3a959721b174dc02f9c50f8e386096af1efb779659e3e88175eeb42bf482cda7a56bdbe9119ca2783af33391f628293a5af437f1f1e988360385fed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba9e23004aa17e688bcc1ae5ee30bfed

SHA1
9801f3d469f2c25ba801aad78d90c3499cb08de1

SHA256
0e2459e8fc45a75a88023b9f7d0045c9992b9a4663f45c6030e0b6339af287b9

SHA512
961ad8729dbcf8e8ee0622c64364323fd7564906396ac6d422bb48fcd96c1b7b4ea1517a70aad73a92763702c7a16c96aea91afc33dc4e3c12e80b0e9627cb2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7a1e03fe1039bf494d77070f2c583626

SHA1
bb6b31d644873fea13cb3c37e6225670b5682c8b

SHA256
53bb6e31c2534c61d2bb23c0ef4d9550c1b9361610bd01ef1816a97297147ed2

SHA512
e45c36ab8a4ba0c84783b2ddb2c26a9ab66cd5d26f1f0999b1288656288b1f8f33922a92c05641e6dfad03fac708525a1a37815d8ce1088ed0c72217e2f82827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\chrome_100_percent.pak

Filesize
138KB

MD5
0fd0a948532d8c353c7227ae69ed7800

SHA1
c6679bfb70a212b6bc570cbdf3685946f8f9464c

SHA256
69a3916ed3a28cd5467b32474a3da1c639d059abbe78525a3466aa8b24c722bf

SHA512
0ee0d16ed2afd7ebd405dbe372c58fd3a38bb2074abc384f2c534545e62dfe26986b16df1266c5807a373e296fe810554c480b5175218192ffacd6942e3e2b27

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\chrome_200_percent.pak

Filesize
202KB

MD5
1014a2ee8ee705c5a1a56cda9a8e72ee

SHA1
5492561fb293955f30e95a5f3413a14bca512c30

SHA256
ed8afe63f5fc494fd00727e665f7f281600b09b4f4690fa15053a252754e9d57

SHA512
ac414855c2c1d6f17a898418a76cce49ad025d24c90c30e71ad966e0fd6b7286acf456e9f5a6636fd16368bc1a0e8b90031e9df439b3c7cd5e1e18b24a32c508

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\ffmpeg.dll

Filesize
2.6MB

MD5
e75e08c888c96422068a7dec5b1844e3

SHA1
3ef8efcd066d218b116290483099ea610f722a7b

SHA256
6145fb062a750ff9d8f2b3ab4b7e07e2d9c1763acbb975b0cbe1123ed274f23e

SHA512
617e99ffb60e49a9576d42621dc5ce99c55db60af6f0c40a220a994409c7b82aec6bebe226d299bcd7a1720d3264001aa363b40b1460e023cff48eb6ca6ad153

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\icudtl.dat

Filesize
9.7MB

MD5
224ba45e00bbbb237b34f0facbb550bf

SHA1
1b0f81da88149d9c610a8edf55f8f12a87ca67de

SHA256
8dee674ccd2387c14f01b746779c104e383d57b36c2bdc8e419c470a3d5ffadc

SHA512
c04d271288dd2eff89d91e31829586706eba95ffbab0b75c2d202a4037e66a4e2205e8a37ecf15116302c51239b1826064ed4670a3346439470b260aba0ea784

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\libGLESv2.dll

Filesize
7.5MB

MD5
bdef859433e7d3aa28c09e0e56bcc527

SHA1
366f2249676473754866559b442ef2e54df2544f

SHA256
8c13a4b5754ce67f97df2cb4ed356e44e4d902002600136f07c0d6b6837c182e

SHA512
4cc22db001d9f94db1443f64d124baa84b20e234d18c523d2dad62c8ecf421884b85c56ea080e81d52a96d5141decee3f761d3481f5b73a074fed9fd11f53451

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\libegl.dll

Filesize
431KB

MD5
2abed6d1a85117fc8e319db10303df46

SHA1
b8adf5c210d4d8cb7fe47d1fcbe5aaffef6a7c1b

SHA256
13bba503fb0ad061b3b32f3a1580c50e3379c8f8da4de009c85bca294ad0d6e8

SHA512
020a3c1f58f3eecaa992ea59fa09ba49fe5da6d117988235a847eec7bfe4256093dd1fe2e8c017260eb6c23f7602a67d49c10d5f8d1afe21af848f2f96c11b7e

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\locales\en-US.pak

Filesize
95KB

MD5
214e2b52108bbde227209a00664d30a5

SHA1
e2ac97090a3935c8aa7aa466e87b67216284b150

SHA256
1673652b703771ef352123869e86130c9cb7c027987753313b4c555a52992bab

SHA512
9029402daea1cbe0790f9d53adc6940c1e483930cf24b3a130a42d6f2682f7c2d6833f2cd52f2417009c3655fed6a648b42659729af3c745eaa6c5e8e2b5bb9e

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\resources.pak

Filesize
5.6MB

MD5
0189f72b35a76ffcf33f457c1c5c9ed9

SHA1
744724f2c543f1a3f6f0dbd1f1a773ab92e052d3

SHA256
eccc333eb22909c05dd55ac45429fac3e0322c83d31e83a57447025af91e69cc

SHA512
ba10319a86aef87b21435a81c961239a1e61a6edb1efc39066283b2376d250441f52b46079768ce0de5010d64c69629faf2635ea365145905304c46789d7e9e7

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\resources\app-update.yml

Filesize
91B

MD5
89a87240dd48d49663488139c41d10f0

SHA1
9cc1f64a3529160741a683b39dff9aa184f3d2f1

SHA256
6fe43f1f33de29426d24af215ac34862e89619a79ab8b7afdc8c1d72a97fc285

SHA512
31fd3549aadf1305c7eb98d261ddecfe24e3c22816a8de3f8da68567b08bc622432dd431d609b1fee7140937c80aafe3794809065deaffd169bb03839891a0e1

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\v8_context_snapshot.bin

Filesize
160KB

MD5
03c3851343e11392b24b91897910b060

SHA1
9ec2de38a63ed606c1ed545f583ac427b48b3192

SHA256
0abf6a4b73a4abf6e43eb8eac6fa9399164166502de4fd23e9a659f47a416600

SHA512
80144fa894ff193027b4ff24a0d4301e41d5f0fbc39dc1e5c14f2834e9092765739a956260182396f275faabfe07329c685bb095a9aa72286141d9b1cb0a354a

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\vk_swiftshader.dll

Filesize
4.3MB

MD5
d748b67bbe5e511afd2107a51f857a32

SHA1
33b0b7ea20e112448c82f43fc52e39726a8a03e5

SHA256
bc965a0b30106263801249b156321dd1740117789f72f61329b61746c0f46c35

SHA512
53a1df01847366e3282f8920c1b71b135b940929c85e944c6b00ab557458ad1b3eeddff0e69f89592706e90a36189a44e5e9bff23fe0331dbaa8233d38e95536

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Programs\RBXIDLE\vulkan-1.dll

Filesize
715KB

MD5
6a05b161245180545849155b1cf63253

SHA1
db0393114078ff56c8fab49e2ed680324f4e31f3

SHA256
05c6d4aff774c0ee8190749a8cdc359ca294e0410a56666d14730f9456ff51e2

SHA512
0e4c8a15e55c274513f60f0e57da2dfea8c9fdcf47694bc7a4c0e29eb9a1d00d10f7e9493da7985dc352cc006e5244fc84c5a048e1d8a1f911757a41684fe257

Download Submit
C:\Users\Admin\AppData\Local\Temp\78b08713-4f34-409f-ab9d-7eb2e644467d.tmp.node

Filesize
191KB

MD5
7ec7dd493ee9bc5ffc207d58eef582a6

SHA1
f00bb96ccff396eaf68b40745f43c130af96ed85

SHA256
4f0dfd414666f66c1d93191e0314f86c1ae9e68405486bfe89e473816ecc273c

SHA512
4b9d6a8a8e56f377802458a79b8d80131fbbc34aac6debfc8bef05cf346008448aed18571a8e837d359f72dde0283b27ef5de746988fc420b49789f3e4c989ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgvwrlom.2dv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a00584d4-98f3-486c-83c6-8aa24c8adcb0.tmp.node

Filesize
212KB

MD5
c2387a887c8665868269dc1ddb6d73b7

SHA1
a21ffa918e33972c77bd5d7d0801dae8e0da0b34

SHA256
4dc72530341ceb89eb249d04b9d914b7375ef45aa0cb9cc0640e45b69cf8cb2b

SHA512
ebbbaf2befd93c74693813c0de8846806d939bc1fbbbff94f20b85d019fa0194891859b8b2ea7e736320dc6b0a789ca443452ac22d8585243de17cd1c07c324c

Download Submit
C:\Users\Admin\AppData\Local\Temp\de2f6bb9a0341b441096fd153cc4e197\command.bat

Filesize
322B

MD5
694d0e0cfad90ec5fa987eab1dbc8025

SHA1
97891323366f0b51f7294bcbb101dfddbbc16a5e

SHA256
bb569cf53989a6fca920247303e6187b4ef0ecf42ab278a4c637899200b47c01

SHA512
43374ae735f550d4ee23d7b2b3aaa87658f5a4c82217b4e66825df9e7efdd487abcd1a1049ff2b3169956d7321f5f910fd02cef1f7df8c5529f30a00826125d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\de2f6bb9a0341b441096fd153cc4e197\execute.bat

Filesize
352B

MD5
8d71f69ee867395bf971ba35c618e5fc

SHA1
6bb694ba6082498943bc68131990bfbeed1ef520

SHA256
bb53381ed9addc814770f32be61cd32832bacc4f74232a8640f80df019858841

SHA512
af06bebaf708a44ad1435bbcf4c0937b585dd909769f017455c1b5e8879dd0151bab0f558f94e5381dcaa8c7da585af8bd5ce091ddb010b6ed7c958b754a008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC44B.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\0ab92678-7e1c-4062-b3d8-1289a3bafb79.tmp

Filesize
874B

MD5
f8dcb630f8803e8d9f381cdd14b2dc4a

SHA1
0ca9f40fe44eba459f0d4fc2f67fbe4547e43fbc

SHA256
395f5c397659edd29a14714c32340f0a0385a6a193c79bb3087359d022d76b85

SHA512
cbcc5552b21e78cd0283da25629e366102671792e44bac3f4c6f24bf61d1ee0d961b2917bf6123df50e59cafb88c87ccf16a4ae68b55bb10a4f8af021bb06d9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
405af810449acfd49e4f4bdf876b1367

SHA1
c955134a589f882c6020d5ed1c89058dbb4680b9

SHA256
c7e6ceb870178a58bb9e1e4276dab697daa4b1e8ffce91a4b5e56889a4b3c4c8

SHA512
4964dd35f1d9082582ae555d4568b7fb2fc90a54947e9fb0060bd493985f3788fa8ba7ce5f243c46af9f3e58d36326d5e8e53fc0ec0fc2d0b628ebeb516cf9ef

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Code Cache\js\index-dir\the-real-index~RFe5894c9.TMP

Filesize
48B

MD5
c6c03ff0ed395d36ab05e3c0a822ff6a

SHA1
f3abb8d2af7a99a172a7e19b2c750214969cd8bc

SHA256
23b087d2139273195e6d5201f24ed2666ef8ae161074dda1e8f6f4074bef6d91

SHA512
acabd81da2c8b5b384f21ce37dba4ad01e588277a7f409d6996667baba82f3f7e730da4ab3b3e3d3149e1e7d7afca96fd374eb16ed0fba47e7ff664fa63f6575

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Network Persistent State

Filesize
4KB

MD5
8bf8c5bbce234d5e3d21b2099b0eaf5c

SHA1
f4010e6acf9685dd2f456c37ed7fbcea261f2be5

SHA256
e0ddc7b4be136cde2bfa2e10a56698579b85fe3596f4c678a377a88a5ca22a0b

SHA512
df6e8850b9a1a740300e968c981ef9086f66b41fe924bca9784aac53413de7326650e4ea29a98b2f9145e03a898d2f57dad12c66718c7b91d6bf899b99fa0f44

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Network Persistent State~RFe590d25.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Preferences

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe583a45.TMP

Filesize
90B

MD5
139be5cdcb03cee9cc1304961dc9c734

SHA1
cdd814b500e11a11da8907840c403d46fd537bbe

SHA256
7e9a58afeb18716512f57d34c3032a0b6a928da66c6f67c04d982404e269748c

SHA512
7c325a674bdc0f5ff6c38d1048515fe59a46e368140b9a3224182391785f1048c486a4a54d0a5d97627c3712470ad033dcad4e0a9e0668f9053b99bf2ce25d86

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\settings.json

Filesize
360B

MD5
a68d7e60816ec3c7ba3cd5c39c527c63

SHA1
505fee6f64897dac8b4756f703c06ab7a10cb203

SHA256
a52026f9fedffd74d60582f07320d449a000b605c558d070aebb7a21118c1f86

SHA512
d33b0504835728678a2217462f0ade527d38f9b8d3b62bffde1bec5f0c6581c565d4a858b9bc714cdd1a2d07aacfd5f60bdaefcd6cab8846317b65767fd98bc4

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\settings.json

Filesize
358B

MD5
1f272d0cca801c107a0d5850883b5f73

SHA1
b6ab142016878852544660d6790041a1bd425ee8

SHA256
50239f5fa76442d9d0f4473af5bc44bea433f96def01acb55d0abf580e7d44b0

SHA512
d47252ccb8226c2e2ef9b7d77368384592e104ce18a3c3dc1c8c5f42521e8b377a60e2c88fb0b9fc0c802a6d879bfc99b4966212e805982e0a5dd8ee89084bf9

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\settings.json

Filesize
409B

MD5
02ceb1f30fd6ec12459e3482c7783638

SHA1
857a6065f2643ae025b11a1d9c7895e0ea3d0907

SHA256
0456410d1b98abb39a45a4e43d244d0480db0e864744d1cf25c2fa8c67ae579b

SHA512
13f4af65e9005721edb826cfcd83fd0fb59a96c02b989b1a7ea28585a180d8da8cab19968e560c005e778219c472d03adc7cc46beab895e1ef6b5be9b0af5a4c

Download Submit
C:\Users\Admin\AppData\Roaming\RBXIDLE\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\c1e89cc7-783a-4b17-9c54-cc77c062bf92.tmp

Filesize
874B

MD5
bc995d718cb2e2f2ff12477b9a1c8852

SHA1
34500786478a2372823e684e095271f838956e3e

SHA256
1cbbf04c4af91ed643a1b8ba94c3357351175144c6655b6ab848d8c4492d445c

SHA512
35546b2750ba91d4ce106a9654182d7cfbf6e89c5479ca4c200203d704a8e36694bec14cc290adcf019eab81c7b50985a6efa55a85c3408cef312dae1413f704

Download Submit
memory/1176-984-0x00000275EDE80000-0x00000275EDEA2000-memory.dmp

Filesize
136KB

Download
memory/2224-1213-0x00000193205D0000-0x00000193205F4000-memory.dmp

Filesize
144KB

Download
memory/2224-1183-0x0000019320650000-0x00000193206C6000-memory.dmp

Filesize
472KB

Download
memory/2224-1211-0x00000193205D0000-0x00000193205FA000-memory.dmp

Filesize
168KB

Download
memory/4292-874-0x00007FF83BA70000-0x00007FF83BA71000-memory.dmp

Filesize
4KB

Download
memory/4656-1182-0x0000027EEC7A0000-0x0000027EEC7E4000-memory.dmp

Filesize
272KB

Download
memory/4820-1237-0x000001CD502B0000-0x000001CD509EF000-memory.dmp

Filesize
7.2MB

Download
memory/4820-977-0x00007FF83C0E0000-0x00007FF83C0E1000-memory.dmp

Filesize
4KB

Download
memory/4820-976-0x00007FF83C6F0000-0x00007FF83C6F1000-memory.dmp

Filesize
4KB

Download
memory/6468-1404-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1393-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1391-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1392-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1406-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1405-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1401-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1403-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1402-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download
memory/6468-1400-0x0000015E95C00000-0x0000015E95C01000-memory.dmp

Filesize
4KB

Download