URL:

https://getmyfilenow.com/lp?id=Artic%20X%20Roblox%20Exploit%20V1.0.3C_94708122

Full analysis: https://app.any.run/tasks/cd2407fc-d6e5-4ad0-a8c7-5647059766d7
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: August 19, 2024, 00:01:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
pua
adware
Indicators:
MD5:

AD3BA08FAF92EBE8B1AA38B8B87E576C

SHA1:

8865AD61F53BBFBC958586912CCE7CAB2A56F9CD

SHA256:

3872AF54982C4FC05137A49DE77AFD753F97EA735148124AF46B39D671E6D607

SSDEEP:

3:N8hPIuJRaAJtZ6pKh09VzUdWmhS3OX:2jKGtEk034dWmE3OX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • setup94708122.exe (PID: 4592)
      • OfferInstaller.exe (PID: 6184)

    • ADWARE has been detected (SURICATA)

      • setup94708122.exe (PID: 4592)

    • Scans artifacts that could help determine the target

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • setup94708122.exe (PID: 6948)
      • OfferInstaller.exe (PID: 6184)
      • setup.exe (PID: 4280)
      • Artic.exe (PID: 8072)

    • Checks Windows Trust Settings

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • setup.exe (PID: 4280)

    • Executable content was dropped or overwritten

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • OperaGX.exe (PID: 4064)
      • setup.exe (PID: 6724)
      • setup.exe (PID: 6804)
      • setup.exe (PID: 1716)
      • 2fquplza.irs.exe (PID: 3140)
      • setup.exe (PID: 5944)
      • setup.exe (PID: 4280)

    • Drops the executable file immediately after the start

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • OperaGX.exe (PID: 4064)
      • setup.exe (PID: 4280)
      • setup.exe (PID: 6724)
      • setup.exe (PID: 6804)
      • setup.exe (PID: 1716)
      • 2fquplza.irs.exe (PID: 3140)
      • setup.exe (PID: 5944)

    • Process drops legitimate windows executable

      • setup94708122.exe (PID: 4592)

    • The process drops C-runtime libraries

      • setup94708122.exe (PID: 4592)

    • The process creates files with name similar to system file names

      • setup94708122.exe (PID: 4592)

    • Reads the Windows owner or organization settings

      • setup94708122.exe (PID: 4592)
      • OfferInstaller.exe (PID: 6184)

    • Adds/modifies Windows certificates

      • setup94708122.exe (PID: 4592)

    • Searches for installed software

      • setup94708122.exe (PID: 4592)

    • Get information on the list of running processes

      • cmd.exe (PID: 6600)

    • Executing commands from a ".bat" file

      • setup94708122.exe (PID: 4592)

    • Starts CMD.EXE for commands execution

      • setup94708122.exe (PID: 4592)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6600)

    • Reads the date of Windows installation

      • setup94708122.exe (PID: 4592)
      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)

    • Application launched itself

      • setup.exe (PID: 4280)
      • setup.exe (PID: 1716)

    • Starts itself from another location

      • setup.exe (PID: 4280)

    • Start notepad (likely ransomware note)

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)

    • Access to an unwanted program domain was detected

      • setup94708122.exe (PID: 4592)

    • Drops 7-zip archiver for unpacking

      • 2fquplza.irs.exe (PID: 3140)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 6452)
      • chrome.exe (PID: 4576)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 6452)
      • WinRAR.exe (PID: 6296)

    • Checks supported languages

      • TextInputHost.exe (PID: 4788)
      • setup94708122.exe (PID: 4592)
      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 6948)
      • OfferInstaller.exe (PID: 6184)
      • 2fquplza.irs.exe (PID: 3140)
      • setup.exe (PID: 4280)
      • OperaGX.exe (PID: 4064)
      • setup.exe (PID: 6724)
      • setup.exe (PID: 6804)
      • setup.exe (PID: 1716)
      • setup.exe (PID: 5944)
      • Artic.exe (PID: 8072)

    • Reads the computer name

      • TextInputHost.exe (PID: 4788)
      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • setup94708122.exe (PID: 6948)
      • OfferInstaller.exe (PID: 6184)
      • 2fquplza.irs.exe (PID: 3140)
      • setup.exe (PID: 4280)
      • setup.exe (PID: 1716)
      • Artic.exe (PID: 8072)

    • The process uses the downloaded file

      • chrome.exe (PID: 6332)
      • WinRAR.exe (PID: 6296)
      • chrome.exe (PID: 7856)

    • Manual execution by a user

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 5196)
      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • chrome.exe (PID: 4576)
      • WinRAR.exe (PID: 6296)
      • Artic.exe (PID: 8072)

    • Checks proxy server information

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • OfferInstaller.exe (PID: 6184)
      • setup.exe (PID: 4280)
      • Artic.exe (PID: 8072)

    • Creates files or folders in the user directory

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • OfferInstaller.exe (PID: 6184)
      • setup.exe (PID: 4280)
      • setup.exe (PID: 6724)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 6452)
      • chrome.exe (PID: 4576)

    • Reads the software policy settings

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • setup.exe (PID: 4280)
      • OfferInstaller.exe (PID: 6184)
      • Artic.exe (PID: 8072)

    • Reads the machine GUID from the registry

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)
      • setup94708122.exe (PID: 6948)
      • OfferInstaller.exe (PID: 6184)
      • setup.exe (PID: 4280)
      • Artic.exe (PID: 8072)

    • Create files in a temporary directory

      • setup94708122.exe (PID: 4592)
      • setup94708122.exe (PID: 6948)
      • OfferInstaller.exe (PID: 6184)
      • 2fquplza.irs.exe (PID: 3140)
      • setup.exe (PID: 4280)
      • OperaGX.exe (PID: 4064)
      • setup.exe (PID: 6724)
      • setup.exe (PID: 6804)
      • setup.exe (PID: 1716)
      • setup.exe (PID: 5944)
      • Artic.exe (PID: 8072)

    • Reads Environment values

      • setup94708122.exe (PID: 4592)
      • OfferInstaller.exe (PID: 6184)
      • Artic.exe (PID: 8072)

    • Disables trace logs

      • setup94708122.exe (PID: 4592)
      • OfferInstaller.exe (PID: 6184)
      • Artic.exe (PID: 8072)

    • Process checks computer location settings

      • Artic X Roblox Exploit V1.0.3C_94708122.exe (PID: 2680)
      • setup94708122.exe (PID: 4592)

    • Creates files in the program directory

      • 2fquplza.irs.exe (PID: 3140)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
48
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs textinputhost.exe no specs chrome.exe no specs chrome.exe no specs rundll32.exe no specs artic x roblox exploit v1.0.3c_94708122.exe no specs artic x roblox exploit v1.0.3c_94708122.exe #ADWARE setup94708122.exe setup94708122.exe no specs offerinstaller.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs 2fquplza.irs.exe operagx.exe setup.exe setup.exe setup.exe setup.exe notepad.exe no specs setup.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe artic.exe

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=500 --field-trial-handle=1936,i,18363488936485170104,5264587354373701008,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
368"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1936,i,18363488936485170104,5264587354373701008,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1716"C:\Users\admin\AppData\Local\Temp\7zS0EFE1D1F\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4280 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240819000246" --session-guid=01b17e72-04d8-4474-9d33-d18396438382 --server-tracking-blob=OGEzMDlmMDU2MjBiYWNjMmFjZWQzMjMyOWM3ZDlhNmE5ZTQwYTI4ZGYyMGExNWQ0NzgwZWY0NjY5OTU5NDkxMTp7ImNvdW50cnkiOiJERSIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0RFX1BCNV8zNTc1JnV0bV9pZD03Y2M4ZjMwNDE3MGE0ZGNlODY5MTIzNTc0YzNjNzk5YiZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyNDAyNTc2MC43MzE5IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0RFX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiI3Y2M4ZjMwNDE3MGE0ZGNlODY5MTIzNTc0YzNjNzk5YiIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImMyNmRlNmY2LTBlZDEtNDYwZS1iODgxLTdiZTI0M2YxYWQzMyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=D805000000000000C:\Users\admin\AppData\Local\Temp\7zS0EFE1D1F\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera GX Installer
Version:
112.0.5197.60
Modules
Images
c:\users\admin\appdata\local\temp\7zs0efe1d1f\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
2680"C:\Users\admin\Downloads\Artic X Roblox Exploit V1.0.3C_94708122.exe" C:\Users\admin\Downloads\Artic X Roblox Exploit V1.0.3C_94708122.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Download Manager
Version:
1
Modules
Images
c:\users\admin\downloads\artic x roblox exploit v1.0.3c_94708122.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3140"C:\Users\admin\AppData\Local\Temp\2fquplza.irs.exe" -i * -accept -silent -p pubid ES -p templateid 639a1e1f80cd6029193882a6 -p source lvsppiC:\Users\admin\AppData\Local\Temp\2fquplza.irs.exe
OfferInstaller.exe
User:
admin
Company:
EnigmaSoft Limited
Integrity Level:
HIGH
Description:
EnigmaSoft Installer
Version:
3.0.853.5482
Modules
Images
c:\users\admin\appdata\local\temp\2fquplza.irs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
4008"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5300 --field-trial-handle=1940,i,14447036954993584836,8097123596705825369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4064C:\Users\admin\AppData\Local\OperaGX.exe --silent --allusers=0C:\Users\admin\AppData\Local\OperaGX.exe
Artic X Roblox Exploit V1.0.3C_94708122.exe
User:
admin
Integrity Level:
HIGH
Description:
Opera installer SFX
Version:
112.0.5197.60
Modules
Images
c:\users\admin\appdata\local\operagx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4276"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4500 --field-trial-handle=1940,i,14447036954993584836,8097123596705825369,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4280C:\Users\admin\AppData\Local\Temp\7zS0EFE1D1F\setup.exe --silent --allusers=0 --server-tracking-blob=NTYyOWU0MDMxYTgyZmRkMjczYzk3NmZjMDdkOTI3NmU5YThhNjIyYjljYWM0MDhkNTYzYjdhMGE2N2E2OTJlYTp7ImNvdW50cnkiOiJERSIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0RFX1BCNV8zNTc1JnV0bV9pZD03Y2M4ZjMwNDE3MGE0ZGNlODY5MTIzNTc0YzNjNzk5YiZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInRpbWVzdGFtcCI6IjE3MjQwMjU3NjAuNzMxOSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9ERV9QQjVfMzU3NSIsImNvbnRlbnQiOiIzNTc1X0ZpbGVETSIsImlkIjoiN2NjOGYzMDQxNzBhNGRjZTg2OTEyMzU3NGMzYzc5OWIiLCJtZWRpdW0iOiJwYSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJjMjZkZTZmNi0wZWQxLTQ2MGUtYjg4MS03YmUyNDNmMWFkMzMifQ==C:\Users\admin\AppData\Local\Temp\7zS0EFE1D1F\setup.exe
OperaGX.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera GX Installer
Version:
112.0.5197.60
Modules
Images
c:\users\admin\appdata\local\temp\7zs0efe1d1f\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4576"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
113 118
Read events
112 839
Write events
269
Delete events
10

Modification events

(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(6452) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
44
Suspicious files
156
Text files
78
Unknown types
6

Dropped files

PID
Process
Filename
Type
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RFe5bf6.TMP
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RFe5c06.TMP
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFe5be7.TMPtext
MD5:8F45965291AB2DA10EEB049FB6E917C6
SHA256:8A0DE526945B27CDBBD87357C85FDDD37B572370F894CB0A5AC533FD465D2166
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:FCE53E052E5CF7C20819320F374DEA88
SHA256:CD95DE277E746E92CC2C53D9FC92A8F6F0C3EDFB7F1AD9A4E9259F927065BC89
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
144
DNS requests
73
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2680
Artic X Roblox Exploit V1.0.3C_94708122.exe
GET
200
142.250.186.35:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
2680
Artic X Roblox Exploit V1.0.3C_94708122.exe
GET
200
142.250.186.35:80
http://o.pki.goog/s/wr3/PIM/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEDyDcTv8LUs2EpYkQxGX%2BBE%3D
unknown
whitelisted
4592
setup94708122.exe
GET
200
69.192.162.201:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRp%2BmQDKauE4nIg%2FgknZHuBlLkfKgQUzolPglGqFaKEYsoxI2HSYfv4%2FngCEBh0NsmIOct9rTne%2FAjdFO0%3D
unknown
whitelisted
2680
Artic X Roblox Exploit V1.0.3C_94708122.exe
GET
200
142.250.186.35:80
http://o.pki.goog/s/wr3/FFw/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEBRcyKmNl5rMCl5QAsUMjJ8%3D
unknown
whitelisted
2680
Artic X Roblox Exploit V1.0.3C_94708122.exe
GET
200
142.250.186.35:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4592
setup94708122.exe
GET
200
69.192.162.201:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D
unknown
whitelisted
4592
setup94708122.exe
GET
200
69.192.162.201:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D
unknown
whitelisted
3140
2fquplza.irs.exe
HEAD
405
142.250.185.68:80
http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRTYRe7GKWXirYGIjA5Z0O3mNgTlobgVRYU4H57dEfcMi0pf7axZ8_7obtlZalRXY5MouQ1UY6OUC0tA-wyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
unknown
whitelisted
3140
2fquplza.irs.exe
HEAD
302
142.250.185.68:80
http://www.google.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2468
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5116
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6724
chrome.exe
142.251.168.84:443
accounts.google.com
GOOGLE
US
unknown
6724
chrome.exe
172.67.204.186:443
getmyfilenow.com
CLOUDFLARENET
US
unknown
6452
chrome.exe
239.255.255.250:1900
whitelisted
6724
chrome.exe
35.190.80.1:443
a.nel.cloudflare.com
GOOGLE
US
unknown
5116
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
accounts.google.com
  • 142.251.168.84
whitelisted
getmyfilenow.com
  • 172.67.204.186
  • 104.21.50.104
unknown
a.nel.cloudflare.com
  • 35.190.80.1
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.google.com
  • 142.250.185.68
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.73
  • 20.190.159.23
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
sb-ssl.google.com
  • 142.250.185.238
whitelisted

Threats

PID
Process
Class
Message
6724
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6724
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3 ETPRO signatures available at the full report
Process
Message
Artic X Roblox Exploit V1.0.3C_94708122.exe
Error: (undefined) has no property - value
Artic X Roblox Exploit V1.0.3C_94708122.exe
at initializeDynamicVariables (this://app/main.html(329))
Artic X Roblox Exploit V1.0.3C_94708122.exe
at getFileInfo.@285@39 (this://app/main.html(307))
Artic X Roblox Exploit V1.0.3C_94708122.exe
Artic X Roblox Exploit V1.0.3C_94708122.exe
setup94708122.exe
Error: File not found - sciterwrapper:console.tis
setup94708122.exe
at sciter:init-script.tis
setup94708122.exe
setup94708122.exe
setup94708122.exe
file:resources/tis/TranslateOfferTemplate.tis(82) : warning :'async' does not contain any 'await'
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://getmyfilenow.com/lp?id=Artic%20X%20Roblox%20Exploit%20V1.0.3C_94708122