8bdc4a080415af8c84897ad4b7c99b49834d690534cd1905c998d3668063791e

Analysis

max time kernel
55s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
07-03-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

instalacion de roblox.exe
Size

2.0MB
MD5

eaa7c4c1c95b9addfde5007f7d950391
SHA1

2214dca2e8d2f5204a171524096786b2717088d3
SHA256

8bdc4a080415af8c84897ad4b7c99b49834d690534cd1905c998d3668063791e
SHA512

2aefb2493302283e4b3e7522708da784e28b24c18c38dca5b26a2c9b83839d8de2b8558c78d2db26d13fe93ba347810da10cc63727e31951d1351a54c46b2cfa
SSDEEP

49152:20oO7pOph8nfCtHTnwa/gdV0ETGRMfPMQ3dSxtTX4b6PV/L:hH7p4h8nfCRQbYVD

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	instalacion de roblox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	instalacion de roblox.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\roblox_lumberyak-b6bd621d-e6abd03f\lumberyak\example\page\component.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\installReducer\presenceActionAdaptor.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\Dev\GraphqlHttpArtifacts.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-5e199548-ff27333b\ExperienceChat\AppLayout\AppLayout.story.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\JestReporters-edcba0e9-2.4.1\JestReporters\init.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\roblox_lumberyak-5fead8c7-0.1.1\lumberyak\MockLogger.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\React-a406e214-4230f473\Shared.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\RoduxFriends\Selectors\isFriendsWith.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GameDetailRodux\GameDetailRodux\Reducers\GameDetailReducer.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SharedFlags\SharedFlags\GetFFlagEnableVRReadyToast.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\Settings\ShareGame\icons.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\textures\ui\LuaChat\9-slice\error-toast.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\Merge\Merge\typedefs-mergers\directives.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\PublishPlaceAs\MoreDetails.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\BubbleChat\ChatBubbleDistant\ChatBubbleDistant.spec.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\Actions\ChatWindowSettingsChanged.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\Dev\Rhodium.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\AnimationEditor\Button_Curve_Darkmode.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\PurchasePrompt\RightButton.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\TopBar\[email protected]	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\roblox_lumberyak-b6bd621d-e6abd03f\lumberyak\init.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\Analytics\Formatters\init.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\StudioToolbox\EndorsedBadge.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\textures\ui\LuaChat\icons\[email protected]	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\NetworkingCurrentlyWearing\Rodux.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\RoduxUsers-0641181c-bdaabf6e\Cryo.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\Controls\[email protected]	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ReactTestingLibrary\ReactTestingLibrary\__tests__\rerender.spec.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\roblox_networking-presence\networking-presence\init.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\ContactsList\Components\ContactsList\ContactsListMapDispatchToProps.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\FriendsLandingContainer\init.test.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.4.2\LuauPolyfill\Timers\makeIntervalImpl.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsShared-9c8468d8-8a7220fd\ReactDevtoolsShared\clipboardjs.mock.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\InputType.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-2.4.1\RobloxShared\Writeable.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\RoduxFriends-aa874f8b-86a611f7\t.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsCarousel\FriendsCarousel\Common\UIVariants.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\Debugger\Breakpoints\[email protected]	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\ButtonRightDown.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\Menu\hoverPopupLeft.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\Vehicle\SpeedBar.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\luaUtils\deepContains.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\textures\ui\LuaApp\icons\ic-arrow-right.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\Http\Dev\JestGlobals.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\Localization.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\AvatarEditorImages\Stretch\bar-full-mid.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\MaterialManager\Create_New_Variant.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\PlatformContent\pc\textures\wood\reflection.dds	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-5e199548-ff27333b\ExperienceChat\Actions\CommandAliasChanged.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\TestMatchers\__tests__\toArrayEqual.spec.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\Jest-edcba0e9-2.4.1\lock.toml	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\utils\KeyGenerator.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ContactImporter\ContactImporter\ContactsList\Components\ContactsList\getDeviceContacts.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\Settings\Players\ReportFlagIcon.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ApolloClient\ApolloClient\optimism\anyEntryTypes.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\Analytics.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\LuauPolyfill-2fca3173-0.3.4\LuauPolyfill\Symbol\GlobalRegistry.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\ReactDevtoolsShared-9c8468d8-8a7220fd\ReactRoblox.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\SocialLibraries\SocialLibraries\Components\Cells\ConversationCell.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Packages\_Index\Utils\Utils\types.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\LuaSocialLibrariesDeps.lua	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\content\textures\ui\Settings\Help\LeaveIcon.png	instalacion de roblox.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	instalacion de roblox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	instalacion de roblox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	instalacion de roblox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	instalacion de roblox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	instalacion de roblox.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	instalacion de roblox.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	instalacion de roblox.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player	instalacion de roblox.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player\shell	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-0b123e0533b6441b\\RobloxPlayerLauncher.exe"	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-0b123e0533b6441b\\RobloxPlayerLauncher.exe\" %1"	instalacion de roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-0b123e0533b6441b\\RobloxPlayerLauncher.exe"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	instalacion de roblox.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player\DefaultIcon	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	instalacion de roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	instalacion de roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-0b123e0533b6441b\\RobloxPlayerLauncher.exe\" %1"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	instalacion de roblox.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player\shell\open	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-0b123e0533b6441b\\RobloxPlayerLauncher.exe"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	instalacion de roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player\URL Protocol	instalacion de roblox.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\roblox-player\shell\open\command	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	instalacion de roblox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	instalacion de roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-0b123e0533b6441b\\RobloxPlayerLauncher.exe\" %1"	instalacion de roblox.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe
4724	instalacion de roblox.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4336	4724	instalacion de roblox.exe	84
PID 4724 wrote to memory of 4336	4724	instalacion de roblox.exe	84
PID 4724 wrote to memory of 4336	4724	instalacion de roblox.exe	84

C:\Users\Admin\AppData\Local\Temp\instalacion de roblox.exe
"C:\Users\Admin\AppData\Local\Temp\instalacion de roblox.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\instalacion de roblox.exe
  "C:\Users\Admin\AppData\Local\Temp\instalacion de roblox.exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=5e5c91aa835e99f5f8232bf2e5dc272e724868f1 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x744,0x748,0x74c,0x690,0x754,0x8fa330,0x8fa340,0x8fa350
  2⤵
  PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
0a5ea9b476f62da3cc0792f86ee653ac

SHA1
2a1e2ee0db395e7daff3bc854c70e96ad3303f03

SHA256
5e99b0e9c1ae1d548af407dce9694afc6462e3e1932cf8df58769b500893e003

SHA512
ebc1337339135a667d53fdd4387633b24530fb7d0f1f64d1114abacf7d7250a2d295e523617f43dfd8b65c503fdf27c1e3f064ac1d6666e67e563d0d7af93397

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-0b123e0533b6441b\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
eaa7c4c1c95b9addfde5007f7d950391

SHA1
2214dca2e8d2f5204a171524096786b2717088d3

SHA256
8bdc4a080415af8c84897ad4b7c99b49834d690534cd1905c998d3668063791e

SHA512
2aefb2493302283e4b3e7522708da784e28b24c18c38dca5b26a2c9b83839d8de2b8558c78d2db26d13fe93ba347810da10cc63727e31951d1351a54c46b2cfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
5c92a73b28fec71486b123843223e65f

SHA1
04159e159776571b75f18a8ff3df019591c8f85f

SHA256
96b7af30ce7f443a11e537fa8fb68b10a288f99a6ef45df60624232327b0425a

SHA512
f5c945edeb2b028555b1c9825fe6302264ce06d9a48bb1b428210bd7ac8b34231bc3ed8d7d20cd1e21a5a78ce83a79d5c492514f8fbfb8d46854d5ca9bcb7828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
d5b24255647492c44d4df81200efa103

SHA1
b529219fdee19339da42f125e965b8472ff906bd

SHA256
ab0ff82c35118b55c14be59ea4a76588a939d3a161ccddb8ca0ab5e3f1893898

SHA512
9ccf554902c34e17651026e4c354b78646da38b6d0d3f0e52c5fbed8a03f25058cfbac5db3a44c401a17ed64df84a0cc499aeb2a4d9d168d03eda86c2f557200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
fba37afe2172957d479d35e50370e6b6

SHA1
009cea738de51e8b2dc44eec191fd56087f51dc4

SHA256
208ec1fe7bec79937a6432aabff83853b9c97103b79014e9f7d78dc143f62cf4

SHA512
bf3cc2d9fa8beb0d0527fa3ed3563876d180c0673508d9499b6f0b75590065173fe874458e8322a2dc4bae5fc76a2858e3460430ce4068ff595d9865d4781704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
eb3267b513719679c6c462ed84cc4816

SHA1
0358c2a6cd2a3f5a4984238069481fe49cd6e196

SHA256
8925655b8c19b1ac01c726a9f68de2f28634a3fb36639e781c8e874bd7ad63a3

SHA512
1a0663c8db6d45496dd786a69f68fa249bcc3833163ef5280e0c64acc7273d02d8c2a96973eef4cbce089815c2220055bf57423cadb391fa3add4418524907d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
84cb18e6fa2acf5f030d301c5265e09b

SHA1
7ab4fdbc52a512c71e356b19608cd5957fdc43db

SHA256
997f5c83e33b3b40fcc9a47a082f7457f33f19b1fa9c13dc40131d957f0a5298

SHA512
e34e22e3c11c6a69d6b36f78b6fee14f422099eb5757ffafef6ca0090bffcd49749c5e6b95a2da9d0a77c28dc288468d4a40963512f0a3939926978f97bc08cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
1cffc3c52b5ac74c28a24cff56acba6c

SHA1
c4341b62ae4550671dbd04aeb9f270e6059fd988

SHA256
a5eb49c6203bdcbaa2fd5bc2d4201cbd28218a73254cbd7d50539d3af2c6f8e0

SHA512
e27d9189550df85f6f5daa609c724efd30159d73a5e17acf5eced6f9df715f751aa0deea72bc50f74b18a8443d7c216c79af72af1934e67de128b3bcaf458092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\WindowsPlayer[1].json

Filesize
119B

MD5
46fa63f2b38f2d0c4f7d0897f5413fc7

SHA1
420856a615ea0ce22a92ffc95c98558d32522729

SHA256
f8d3ac95e2731ae8f2eda4925488dd67f9e1c5f04bbf49e3a30080cb60c5a3a2

SHA512
c31cdb02940141e9c9ce8d0a1c3e8a95ae82e917bd467532695af35c83b874ec715d396df5900f888e32c3d70800cdcab61b0a6af8e5a37db7d269c7f2d815aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\PCClientBootstrapper[1].json

Filesize
2KB

MD5
e67172b0dea73a79f6f4eb67276c2d84

SHA1
46296c774693fbbdd6000d83b4f11b62332095a8

SHA256
01b8f54205e4e554abe55e09c5ff70a1e503bbf12e83eb5fed1cb2a7bf3bc919

SHA512
098ba9b22ed87dc1acecc9c0bd4d462ea791971c574d3fa487a78d845975a483e92fb1235a0be86b26cf8bb36c231071ae7b34f640a66cb59eea886274b328dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
aa301e6190927c3a881c80ab518ae485

SHA1
d62a2f11b0f1c377dfa92cd280e4df41d2eae46d

SHA256
78a653acbe40d3519f0a5173c7a04ff9acebf52fa9aa0b6e4dade71b6b3eaa27

SHA512
ce93711a7764b4ddb39a4c00b8ccf7135d99c389890e954b593994e9971cb2737d49ca3bd1b7c873c77155c476bc9c121592a2711d1d36a94dd3d841178d5e20

Download Submit