lumma | hxxps://www[.]mediafire[.]com/folder/0s4l0ql101w6f/ROBLOX+EXECUTOR

Resubmissions

29/12/2024, 22:41

241229-2mj4ssyral 10

29/12/2024, 22:39

241229-2k9xfayqel 10

Analysis

max time kernel
198s
max time network
199s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29/12/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/0s4l0ql101w6f/ROBLOX+EXECUTOR

Score

10^/10

lumma discovery phishing stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
2872	Loader.exe

Loads dropped DLL 1 IoCs

pid	Process
2872	Loader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2032	2872	Loader.exe	108

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1568	2872	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Roblox Executor.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1840	msedge.exe
1840	msedge.exe
1224	msedge.exe
1224	msedge.exe
1016	identity_helper.exe
1016	identity_helper.exe
560	msedge.exe
560	msedge.exe
668	msedge.exe
668	msedge.exe
668	msedge.exe
668	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1776	7zG.exe
Token: 35	1776	7zG.exe
Token: SeSecurityPrivilege	1776	7zG.exe
Token: SeSecurityPrivilege	1776	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1492	1224	msedge.exe	77
PID 1224 wrote to memory of 1492	1224	msedge.exe	77
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 2240	1224	msedge.exe	78
PID 1224 wrote to memory of 1840	1224	msedge.exe	79
PID 1224 wrote to memory of 1840	1224	msedge.exe	79
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80
PID 1224 wrote to memory of 5012	1224	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/0s4l0ql101w6f/ROBLOX+EXECUTOR
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa04453cb8,0x7ffa04453cc8,0x7ffa04453cd8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6792 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2124341226249593019,14563069671456363388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5044

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Roblox Executor\" -ad -an -ai#7zMap13112:92:7zEvent23964
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\Downloads\Roblox Executor\Roblox Executor\Loader.exe
"C:\Users\Admin\Downloads\Roblox Executor\Roblox Executor\Loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1092
  2⤵
  - Program crash
  PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2872 -ip 2872
1⤵
PID:200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
75KB

MD5
5e9c8e9d786914e3aac019359b5627e6

SHA1
1a4c5bc6657efefdb963d8bdb56992af24914fdd

SHA256
69a6185b497314b3a37e4e7a93151a4c47f7871cf30e4f7af8be6db8658b999e

SHA512
f7614898b426cddb7c3a3bf65a89bd4c515e1375fb4c1049f11b71d9415ad4aa8382f910632ace4c7e90e99d94e564fd374ae6c70a666709ecae3b5b135ee89f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
87KB

MD5
5a47836b71dd46372e3a2a242cce08ba

SHA1
69e31e7db17f71c546dcbd3bfe5a1cce2e830764

SHA256
8992d968109b20312536c064fbf841daa76ff9cb1533b3bcde96ba9043d4e978

SHA512
e9ed93d6ec3750d5d8882d2c9d25ee54559d99fa12708b1dab45c0d392691c09328e78a66db2a287cd85282d2f014e05cea5c93831e6e0d5cfda34243201a008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
135KB

MD5
344957c092d661cacecaea470a54c754

SHA1
559d889edfd324f805d82c8ab69c84a13f80c7b6

SHA256
a48d80861b1549418187603153fe7200129dd1be360eba78ff2bae2a2cbf0db9

SHA512
228afac9bc0d7fa0966ff6e15e0187cbc826af4cee8734b3a526327d714373dd501f8cb516073eaad86cb4f647b4dc4019df63629dbc2f26ca54f620f2b8a973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
73KB

MD5
eb0ab29ad52ca9b03da2eee8eaf58bc5

SHA1
43a13ccab2622c29c4902aa441217ad5149bbbe3

SHA256
3f5853f4b1602fa6a4a8575a0a676c160f6a624a6820f0a1b9a3266c319787f3

SHA512
ff7e7918652099325b0f96a7cd6ab71ef10c2d68e2c2e3fe212ccb7806a0b1c765f151e1027ccc88b447f15960f2a22697556381d55f96b99729f779a12d8014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
21KB

MD5
660c3b546f2a131de50b69b91f26c636

SHA1
70f80e7f10e1dd9180efe191ce92d28296ec9035

SHA256
fd91362b7111a0dcc85ef6bd9bc776881c7428f8631d5a32725711dce678bff9

SHA512
6be1e881fbb4a112440883aecb232c1afc28d0f247276ef3285b17b925ea0a5d3bac8eac6db906fc6ac64a4192dd740f5743ba62ba36d8204ff3e8669b123db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
21021d7c597e45b22958a4f77557f3c1

SHA1
c6dd0632ffe140e90ad442d938ee9c14ac88342d

SHA256
88562039fd0c10b1ce8e4d9c2c94bb3d89ecc7b657ef1b0e9eb521e4290d7c0c

SHA512
0d0add1dbfdf4c2f961eba73ec3722baf2ea3cd0f92b4472c11a0d694a1984a0f76f2f9cec8a410eb7a372ea225c461c5da895f130f5ebad2829aad2aa6ceb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
bc66a279335ab77332b8b923cdb22614

SHA1
67cda0a12d761de4a35394eae4fca85c8ff1f4ff

SHA256
1b42ab603d6dbcd4265f39f72b88420f6c0c9ae5a883e914dd7c91a3477fec36

SHA512
e470d0fc4d8d9fa8b29beba04efc1d8b859373a84a8979cb3d98a156d37d1d1180e72daa15b8b5990b4581b5f405836723b3fe902d1239e44ca8362af10bbb05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
515b671dde24613c09656b61ffeb2149

SHA1
681a39e746c34b7f52e863f0faef6d9a7e077330

SHA256
c2242b52fd78156420f66b53548a8eda7bff57c4747fa6410933ab9827282db9

SHA512
0b0c29714f8a58504513151be436f619032e2372ec21c54884af9b4bc6c5b882cd4fb903fd7a735a5fac7e3384fbb147e68c0836eaa48441ce7938da3c172095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
39190aaa940d80bccf9aa8cbc5d40fdd

SHA1
19cf82a7438befca0d13ee29ed22a4a762cd26e8

SHA256
8ab756a78617c24deb29c1383d0f0935fd952bed7b6b592c9f666d0ebd5ce775

SHA512
80b8f579bba7baba48bba35db73835dbaac19ebc38fb3075fcba28f4f52fb7dd06af32828d77d88b541a4dce3e9d3e1eabf86a193b9b2b9fd6a1d8af44969eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
79958c8070ee0a28e130d7343e7968bb

SHA1
05e64da8079c45a0ee1c70eb77a6af761ae6edb8

SHA256
79495b616202347ad3930d990b2d342c1d09603fd6cb987306fa797bdadb3529

SHA512
46b76e3cd6e0161c6197896a943eade0ffcc554171f4c54a169f1b393925fd482a85bd63db8ed2cf256ee10b43c17a021d3a3ab83e85067074e3f56f26fcb705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f10986a3258c5e4f019d32fe5274ef11

SHA1
16ea09f6daf7e385b2ce9b548cfaf101c096388a

SHA256
6a3bb81705425d11804d8b61dda46c76c7916b7ddbd81c2aaf96c3d26b3bd072

SHA512
169ef548ab939fbf16cfe63d6cf1854832e8784cde73a35f3a84e9e602fe79aa312d9440289ac0a5c9cc2d75e2b4fb3bb11467d377fd2af4404447ac2d244f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
beac36606ea1da79ed2871d8f374bfc8

SHA1
61f16a4c6aade56bffdd28fd2dc37d51c404d1d5

SHA256
02c355f4b0b5c9330eab53604de4e7e2aa12c67ec9f9f2d77c76391d1a7d7721

SHA512
23e4d852ce4a3ca8c76ef43178f2ef1c4bea7cf6c01dd87fbd173696ae1e7cdc774498e551735a66c7a7791c4fa25ae4680fa754016f6867394b16165971913a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
58a6d7e030882c033dc5e5021b778ab4

SHA1
835c1c130c5c80d7a2b78753c4176c73ebb3746b

SHA256
be5e502d8df9ee4cb876535a77460d7b3112d063a45899eabefc07ad6fd7ab87

SHA512
09754088476e291598467e241c564c23f2801a70381bd8c83abae7e5b759985bf2367ddac0e56841fa94c99b063447307176cfe7f45335a88bba45d173bc57ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4ad0705975ffba29cf050c885bf53209

SHA1
00c3e7567f9a99285af66567bbed8dadd00918fb

SHA256
38c3b9e32017c9a4dcfcafc638c9a276c3e083b440fde730fb2ba52f076ddde1

SHA512
cdd042e18e417ea52418da338dbf287bbab935370469b937d833861448242b22d407bb1d763b8404f3266ae52ca61023f17cfb6496e0703b38a00c6d7cac42ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e69bcf7a0f3873afd6a65b443a08c57f

SHA1
9b17b853a5c86029d2d4afad7d6a5de4f8f43099

SHA256
5e179d0d0fa55902217993ef4bdc96f36998065e612bf08b5d2af8d7e5f5dfa3

SHA512
352a512cb150c7b333a6d98408025c5bb6e063cb3c2eeab02d31227d9b9fdea1dc53591574f8bed80056515ba48b04dd51aba978246f3930ae38402118968b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5eb002eb80de19df6dacd7c0c449fd6a

SHA1
39db101e5b900454458ce6ec5350a37de5fac675

SHA256
94f0a2b02a331783b27544624eff1510d7921d4ca785b1f12842bcd9d2fad603

SHA512
ef48aa64f359f32a9317aed15d5c72bb4cc1938e83db7fb9ad0b3f68eb8973c55f776cc80edd6ec78d51600e1aadbaf97dbea4be4ef03dcb541c0bcd174da6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ce39b739b5ecf5d854dc77aa8768e059

SHA1
0cac6b732ab961a2b1ac9dc19a8de3e298df19f0

SHA256
3bc58e5f6da0d3d99ce3e54dd89472117b6a68dacf7de860cf6629cfaaa3f5d9

SHA512
d0bf5f4db0708e551165281ace8d6185ed0829ff5a52a49d1c77b2bd52e3e849e074c2dc7b27b69bab42bc62c0ce9fe7683d8d991e065906e5a87e424d504007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59c7cb.TMP

Filesize
48B

MD5
264504172d0fcb6ee35ff3b2c3c288b2

SHA1
ed99b1a8016fd652a75f4b96e0367d84def1c104

SHA256
b5d903b8fc237934d474774d2c9e74340b26c4acb135054a035c96780516d33b

SHA512
89695880c173bea0a84a0065a1f0ab64ffb9107d1252141ab1d0f8b4fd031a0e684d1335d0ea97542d87d6ab1bf3c6a8e7cb05d395c89aa886aaa042ee1f33ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed6cf1be68fe3287042450121f85f636

SHA1
794a4fa950df418e3af896b579bb12ac77d3a348

SHA256
941531d4dfb76ae40876de1b64f9e1f623a4823ed45c8525d8b064e63e1c0c19

SHA512
4c4891302aa5e8beeeea0b90fa4eac7f2e7675bcc173234df8ab9aa811caf8a82d5d5576e84353a404a695a8be219d7bf9f3519375f22667223270f7d31cc73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1c65b197477f34d2db9f296c175050f8

SHA1
94a9b7dc76752c5b49f1fb9e006f94d8f02386e2

SHA256
902d6a68deeea7a51fdc7b59fbfe722a2a20622708d578080fee3241c299b96f

SHA512
c244e043e1a45cca0b13eaa259e4cb32419d1a3cd2b6c0f003fa8b7eb8ba33cb92f04dbd7f3051a786455e17d6021a0b6db6c085d27069105014cf06f67f43b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5681c218d3360a23d38a5464fd2e0a90

SHA1
d9eb6af7ab86f26ee44719a7b6c0f52285d165b9

SHA256
476b7c0217360dbace467cd7cd07937326943ee9ca3b6f6b8001be3d5c960bd3

SHA512
05d022de05349052219b90a82e0f459ccd3002f33a3df6cb32bc7d603b19132294b58bd8dda3534a4935c4c55557d2936f67e50e914b54088d4a8f2a3e9657a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9a3dc1811a17f5bda461ebc1223f6897

SHA1
442075adb338a3452f64cb7570d2b73418108a25

SHA256
10f93ecea73c694c34cd98ccfaa4bb9a23f7e815a5bd8148bd0782566ba1b9a9

SHA512
c9f64075cfb72061ca10d7f43a6164834ba62135b5c79053281d6d6657fd0498601483499cb425a6103c1b1e1ebf3b86de71cdab10d5feaf677431c2adfb9cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
1fd2f2e961c29239e77e7719349ee64a

SHA1
4b7540972f0d73f3d2f1a4cdb7bd520d82e03e45

SHA256
4762b5f9ac11b549f3aac97dbcaad52e12301797ef0040950e02f72471e39d66

SHA512
48e056a8afddbe592c63979ce6aca33e445c76f186c0f3e376ced029786d7ebb4fde4805963e556f4e2fffbb667675ab2b9d3daef57d9f6a0ae3ad53db53c453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582006.TMP

Filesize
204B

MD5
6086f069b4fcb2de38bf1c3836ebbe3e

SHA1
c942016cd4e0d0188740470fb53a59278c994caa

SHA256
2d26ce682adc1d53ffdd160d3a917c066431c4bc50ba22d315a44a62e17a06dc

SHA512
e27acb354d3dfb65d4ba36f752111da3738d5ad850090300983e946a7ad137843ad50aae7643e65989b7765c4a5209e7880ca0de1db67ff383d6b282ad435eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fc55a652fc79a48efa5fcdab180b1c43

SHA1
94441843881b8d8370529229f0c106b1c2ab201a

SHA256
8493669259d9d53078295301bf27d1c1157cc98463bea5eb0c8c064de08b8c6b

SHA512
a151023eefeb1942b07bd202590b09b80aefbe5cdbd96d42eb357cc7c66fb033d9d2176a7c802d82fc619b7d5624cf5cf31e6611173870288513971124b6a404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a046d824e09042618888bc2d4ef9982c

SHA1
07bd927b3ec24be4386b992d30c8c72e4f495d21

SHA256
06818caee1c93add0d2334be0f17a72bf9c0a77e6f6bde222e5f855843a604d9

SHA512
d7085ee2256fc8772772e748e21282e242e6b0d1d8cd000f78dcf0c3ddcc0f29fe07df23ce1a58e889c5ff4bf20a5908c75cecbbaea4aed2d97afa6305533bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bea1a6e09b285025c445e1aef54387cb

SHA1
f5ec2234b6879dd29b5e550c12f2e1379eb47e83

SHA256
562d2a8ebcabe024347fdedea0c01d6ec90102f5d9cf127a80d2408eec60322f

SHA512
659d44aca42dfac2d14f0649fef53d4034c3a2a6bc5645ae9c97168c32ae1b8d077349a8e27629cf576234abe823be05aceb38d3c6114e3c3e885f171b300389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1b40a1548293e1da96f7c12c81b6947b

SHA1
db72600ec481262cf646df9249cabd85421ebad9

SHA256
133dd5f74f9dbed9720950dda7cd1fbd7d71d66f40e0a531dc99f761068d6a7a

SHA512
49dbf8faca92487c01bcd20249f55a1ab93874ffc8e2c1f2b1f1cc5f3721fbe876a09936ab1cf8ca6716bba69288f92582dffffa5693cda512c23d021f7e23e7

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
428KB

MD5
a1f9f1967ba34eb5eb774613472de361

SHA1
9674c37c310d8428a2132d980a36a49a0152e91c

SHA256
ed20b84b5a6046bac0adc3ed4fcf80aeabea2c5809c2cbf72e5d5c32b4567656

SHA512
5e2b1627268b60585fabfee16a72a84782c4163ce5dfefb85e668b2489f50ab47f5c17b0d165508551406b5195d91a6ddb3b8502b9d6559843822a01ab4f2207

Download Submit
C:\Users\Admin\Downloads\Roblox Executor.zip

Filesize
17.0MB

MD5
e0619ac699b3fefb85505e95ce836789

SHA1
a8170689bc662ed8303fcd83169d38d388852d35

SHA256
60a0de091d6f97c3e4a3f368ba779ac69d88a7f84344e183ea2f18ca7d06020e

SHA512
10b03c27667922ed4dc57de6f5751acef7384cdaa99bebae2d112872adb1decb6c68ef2eec0c885a6bfe02dad2f90eef2c280b371c09ee04a61e0289344a426c

Download Submit
C:\Users\Admin\Downloads\Roblox Executor.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Roblox Executor\Roblox Executor\Loader.exe

Filesize
687KB

MD5
07e84dbc44ec895c86548b7147367dc5

SHA1
cc2f3b2006d0981e2a5a4a25bef9a94b32dff35f

SHA256
8e3cd56ff626e5e48162b7d09d108b7838a64ba091721107cd5a1a32e894065c

SHA512
bb0cfbd103a8ce5499abb0db907b94d2bde4d048a5152e1616a846c23b447386117b8004168787ed0f5920e6b86909c7a13b6e4a2dabf74696c16d4c388cf102

Download Submit
memory/2032-1362-0x0000000000FA0000-0x0000000000FF7000-memory.dmp

Filesize
348KB

Download
memory/2032-1363-0x0000000000FA0000-0x0000000000FF7000-memory.dmp

Filesize
348KB

Download
memory/2032-1366-0x0000000000FA0000-0x0000000000FF7000-memory.dmp

Filesize
348KB

Download
memory/2872-1354-0x0000000000DC0000-0x0000000000E74000-memory.dmp

Filesize
720KB

Download
memory/2872-1355-0x0000000003210000-0x0000000003216000-memory.dmp

Filesize
24KB

Download