6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
26-03-2023 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerLauncher (1).exe
Size

2.0MB
MD5

88e64ec3895db7e1dadeb7e28a149642
SHA1

b566a1a6b0ee3b43488143c8ec3c69f4ca15d05c
SHA256

6408dbd08796f501baf4a67f98c859a6a581a41b1909a987b15e60d06f27fe26
SHA512

f723ab2546b6e91e0e3de90cc2bc0c32983fd9f307676a00caccadebdfab372f6889f0fca75d70a3dd39d875c0f2e40ee5a6d3b6130f99961d1f7b207a8b8fbb
SSDEEP

49152:GrihbF2YzW7juDDUrEC19YTl10auIyhhTxHMOPMQ3d2y7TMb64:84bF2P7jukrEWo1fbB

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	RobloxPlayerLauncher.exe

Executes dropped EXE 2 IoCs

pid	Process
832	RobloxPlayerLauncher.exe
3384	RobloxPlayerLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher (1).exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\StudioToolbox\AssetPreview\fullscreen.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\PlatformContent\pc\textures\grass\normaldetail.dds	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\Promise\Promise330.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\RoactCompat-9c8468d8-8a7220fd\LuauPolyfill.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\Throat\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\UserLib\UserLib\Models\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\waypoint.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\Dash\Dash\copy.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\IAPExperience\Roact.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\TerrainTools\mt_erode.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\installReducer\Adornees\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\NetworkingCurrentlyWearing-fa311043-6c92cae7\DebugUtils.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\UIBlox\enumerate.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\Navigation\DiagEventList.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\React-9c8468d8-8a7220fd\React\React.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\ProfileQRCode\ProfileQRCode\Components\QRCodeView\QRCodeSucceededView.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-2bd849d2-78d25f7e\ExperienceChat\AppContainer\mapStateToProps.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\type\schema.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\GraphQL\GraphQL\validation\__tests__\PossibleTypeExtensionsRule.spec.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\llama\llama\List\findLast.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\NetworkingFriends\NetworkingFriends\networkRequests\createRequestFriendshipFromUserId.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\PrettyFormat-edcba0e9-2.4.1\PrettyFormat\plugins\lib\escapeHTML.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialTab\SocialTab\UserCarousel\Components\UserCarousel\analytics.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\FriendsLanding\Components\FriendsLandingFilter\init.test.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\MessageToast\React.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\Menu\buttonBackground.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\JestDiff-edcba0e9-3.2.1\JestDiff\DiffLines.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\NetworkingPremiumFeatures\NetworkingPremiumFeatures\networkRequests\createGetUserPremiumMembershipStatus.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\RbxDesignFoundations\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\App\Navigation\IABottomBar\Ripple.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactUtils\RoactUtils\Hooks\useLocalization.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\blockUpperLeft.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\LayeredClothingEditor\AddMore_Big_50X50_Light.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\TopBar\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\Console\Console\makeConsoleImpl.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\RoactNavigation\RoactNavigation\routers\queryString.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\t\t\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\RoduxNetworking-fe052a05-3.0.2\RoduxNetworking\RequestBuilder\RequestBuilder.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\Controls\xboxA.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\ExperienceChat-09990ed6-a147b962\ExperienceChat\AppLayout\AppLayout.story.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\textures\ui\LuaApp\graphic\Auth\qqlogo.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\advancedMove_noJoint.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\icon_ROBUX.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\mock\mock\getCalls.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\ReactReconciler-a406e214-4230f473\ReactReconciler\ReactFiberLazyComponent.new.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\Shared-07417f27-17.0.1-rc.17\Shared\ReactSharedInternals\ReactCurrentBatchConfig.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\NetworkingVirtualEvents\Http.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\Capture\Shutter.png	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\shaders\shaders_d3d10.pack	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\GraphQLServer\GraphQLServer\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\VirtualEvents\VirtualEvents\jest.config.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\textures\ui\PlayerList\[email protected]	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\Collections\Collections\Array\map.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\JestSnapshot-edcba0e9-2.4.1\lock.toml	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Packages\_Index\RobloxShared-edcba0e9-2.4.1\RobloxShared\RobloxApiDump.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\RoactUtils\RoactUtils\Hooks\init.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\FriendsLanding\UniversalAppPolicy.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\ExtraContent\LuaPackages\Workspace\Packages\_Workspace\SocialLuaAnalytics\SocialLuaAnalytics\Analytics\FireEvent\toStringAdditionalArgs.lua	RobloxPlayerLauncher.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\content\avatar\scripts\humanoidAnimateR15MoodsGrounding.rbxm	RobloxPlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerLauncher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerLauncher.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1720baa3c1c34d9c\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioLauncherBeta.exe"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1720baa3c1c34d9c\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1720baa3c1c34d9c\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1720baa3c1c34d9c\\RobloxPlayerLauncher.exe\" %1"	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\roblox-player\shell	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1720baa3c1c34d9c\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1720baa3c1c34d9c\\RobloxPlayerLauncher.exe"	RobloxPlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe
832	RobloxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2028	1468	RobloxPlayerLauncher (1).exe	82
PID 1468 wrote to memory of 2028	1468	RobloxPlayerLauncher (1).exe	82
PID 1468 wrote to memory of 2028	1468	RobloxPlayerLauncher (1).exe	82
PID 1468 wrote to memory of 832	1468	RobloxPlayerLauncher (1).exe	85
PID 1468 wrote to memory of 832	1468	RobloxPlayerLauncher (1).exe	85
PID 1468 wrote to memory of 832	1468	RobloxPlayerLauncher (1).exe	85
PID 832 wrote to memory of 3384	832	RobloxPlayerLauncher.exe	86
PID 832 wrote to memory of 3384	832	RobloxPlayerLauncher.exe	86
PID 832 wrote to memory of 3384	832	RobloxPlayerLauncher.exe	86

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher (1).exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher (1).exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher (1).exe
  "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher (1).exe" --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=142432bbee131ec1e680ff4280b83f65c7d4b91b --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x6d4,0x77c,0x7e0,0x6c0,0x6a8,0xa00af4,0xa00b04,0xa00b14
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\RBX-E624D386\RobloxPlayerLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\RBX-E624D386\RobloxPlayerLauncher.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\RBX-E624D386\RobloxPlayerLauncher.exe
    C:\Users\Admin\AppData\Local\Temp\RBX-E624D386\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=d4a4a4ad1cbd35850c37a672e5c216b9b80fbbae --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x70c,0x710,0x714,0x684,0x72c,0x13bf748,0x13bf758,0x13bf768
    3⤵
    - Executes dropped EXE
    PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe

Filesize
2.0MB

MD5
fb8063aac5fdc0ec530d93a6cd569601

SHA1
11e56d7705a0cfd294c6b8c7e7eaddc59391dca1

SHA256
3ceb12534ed8636e035d721ff7dc0e581d2f610e7b89b1246d9fe11b9d1b93f0

SHA512
561bda75a3e55bc768e483165bf285ce67638ab0a6ceb15e08593d635311cbd128cc7b340ab0a043efa95ebd4b37db215a3ec98e39e6b7465149acdd539c3539

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-1720baa3c1c34d9c\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
71044866abd760632917f89ac39451ac

SHA1
feb7b02f1e7a3206698f8d3f2e554f0419a8f686

SHA256
460cd2ae6aecc2633e3b12e55a2d9071cbffcab21d371539f0b1a802d5cd8270

SHA512
98d741ee76e9cd082662be49c11b85408643dbfc39289f4194f0cb63d0d21cb3f986f28d2fc65600bbad4520e78cc57aca40fd43dd9cef3342f4b23565c67734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
2KB

MD5
dd2ea315bf28583d057da8ad589bd010

SHA1
6b6e445f08a771d1ad53decf2bf67b9a694cbdc5

SHA256
b433ca88b457a156bc7bf91165bf42c04fcca42362e443c432af54373ddb9d85

SHA512
b3124041eab14f185e6f4607bc875dc4bb779c9fe0358042343d5448b9b527b32bc8844e7a8e1720ea34862a43f1ef1c483d8c53e741b4fdab27694b083534dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
806857b3b9f90acd13ea162780b2b17e

SHA1
354d254b2916a589a910472c287c06de51c28595

SHA256
5223a4da9850ed81ec88988ed20b55bffbc7b3fde4144b5f7e41196d58165d48

SHA512
338d2680d68965e05212c7e0ee55901fe156bfa10ef37a0f00dbf0e667e49b96151ceb21f66d7267bb87cb277b0c5cde050626a9ecd0bcb8762633881baaa7e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_8188B0251A6967A35A03878927DFE701

Filesize
472B

MD5
def8dfe7022e65695ea760ecdad81f39

SHA1
48f6f7dd5dab09e97beb98c5fde65721c4ed38de

SHA256
0476b5074917399ba615085f899d2adeee95c36cd6ee8bd34271bc1f387db65e

SHA512
71343941aa04efc90e34c286740e908479ea009cf94a2b809b8531d63af98ea99ed3677c3c9645deb8a6fd142ff862519044156b05ee8fa4569058ee952a7b35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
e23d8cd61c2e75283867a91ce42aa1dc

SHA1
a86f54bb4f00cf0fcd3efc3951d54e168d25c7f4

SHA256
0a8b65baa91fb423458dd64e067a6009cd4ce9a93c65ac4b448025403ab0ea9c

SHA512
89483da80407e373d6d0f18b4ddd3976a5cd8e590b398de51e881623f54e4c146ec57def18c26c8f7ca5e7ed00b51b9a94d14ad38d2d716b416507b41144c5f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a717bee82a54c06eafd8696c31408c20

SHA1
d04878056daf3b630b5bcf19eb6431e03cbd1e71

SHA256
81bc12a11aabaf5de16b43d573b2cf0f35f62d9a85a2b59213260a834d78592f

SHA512
d8a418d27a7c10d0fcc9df95b6972c2bb554c21431a19064226da963abda0b36076a1decab33f632397b84d5b5d22406d3b238570b2ded0d71f07e6f7094a7fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
426767684a784d78277156a5f1cc54ef

SHA1
7bef2efcf672f3fc80cd885ac0494ea64806d156

SHA256
907b0c9511f3192410a5e27406a9308a7b795c872dca78725a7edf84e1ca58d7

SHA512
b2af25efa4e236196d776675740df30c8b7fc2d0af7a53a3fab0cf59c3809142688761533f322ca179da436c74d1dbc8b1b98bc075416e614a1544cdf272d4f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
488B

MD5
1eff317494af6321ec97bff6c08c4ddb

SHA1
b0a9e21d6bf64f138a919e1cbea36e83fdec70b9

SHA256
8db7c731f2f23b0f2d4ac02873f419ec139a99f59f2a1005c27fff8c583e2720

SHA512
b40c7f6877434a6a38046e890a0b5480370c1a4bf8ae6e0b4b5021dab541dea61951ecc810663d5c5a038e24261da585a31e65c21b9e6c444c89dac0fc44dada

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
b8003ae733cffe406c51264363dd0276

SHA1
0bd5a1f4b8f5df3129aa375f9d296ae67d4c5220

SHA256
1f61d50e9d1381f3646be02ea08aa330b6036bb47f26d1a2bc7edb52cfea2a9f

SHA512
f4edefb62b848c86d05b50a9c2c5c07d3a73176c77e4b1a9aeb77cd9d8bcb6bca50216607e312ba1328684828a8eb77e55f4681a18ddba00faff36f315199eeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_8188B0251A6967A35A03878927DFE701

Filesize
496B

MD5
a964d0d726a9e42bde5538103c2aff61

SHA1
96a17887e5723e1fd1c45a534ebd8a9e9b2388ee

SHA256
1813432f27ce8fd975eb6505f20c09066b77375def997d100ff957872a266edd

SHA512
1896c0133ad9ef3ac57b9a919bea0832ea3888e94816121895cea7d66afb39eafbf8e5a9f306d4e3e8b23619dbe8fe2949480ffceb462f97be5fda45754798eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
3d9f28558a55ed1591b7ce9838911147

SHA1
ae4bd05ea800cfc6648e1eafb8b6ac7bbd58e81a

SHA256
4a932079678a6d3f8caa31c89bf5114f9e68578d0735ef44bb9201d40ea5be44

SHA512
ea44a50ef96cf8cf9538244f662f1ba67d5ae953efef24d701b93f1e20497019ed3c45857a9abe043d71259217db296d26de2c5ade4ba460d6d223d7d38a4b75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
529419ae4c6042ba07d009135d08d4ef

SHA1
10d8000a90c1814ec7f99714a24fc3205edc2708

SHA256
b0ad6d29b33a272c60ab71973353e7b48c2191adb8d5158f75bc1381c1e6104a

SHA512
7a32ec0adddd904ad7b7cb95e9c2973170ab52e2d9209673916d7f72e3b7cdf8c137bf4ff1fe5eb7005e397275ae49c67a6d1a31cbd4458b2b66bb33abab597f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
d3e50b78582fda4083c0193827a0b85c

SHA1
d0e07793cb5f1dc1d3c035bf978e3278d01f60f0

SHA256
d2806f5dbd48237d0216c2d00915f3e77e13de533a003ae987e8351cd6cff434

SHA512
4f6372bd698d9311d6afae20f63aa8f30bfe88c5980b4127d2d7b31cf6ba28c8555754c2e9b9614ff57d6a2bd524b71ee073fb3244d8a71be868489ab5102327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\WindowsPlayer[1].json

Filesize
119B

MD5
656e84d9aabf9d220cb5e55b31b7342f

SHA1
056efaf69bdf7cca1a46fad28deeb087ec874e8a

SHA256
4db3c748fea88e1083848e2323152d116adda5400431191de3fdb08334232467

SHA512
27d4ce499895e52f316b7645ff869c8b74170ad20c484c7e8f51d12044bfc2b4a5a594ef381baba2cb6e01c93c0688666d8e6acac3afaeaef987a34c7c6bc996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V6GB5GU8\BatchIncrement[1].json

Filesize
163B

MD5
bedbf7d7d69748886e9b48f45c75fbbe

SHA1
aa0789d89bfbd44ca1bffe83851af95b6afb012c

SHA256
b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

SHA512
7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V6GB5GU8\version-1720baa3c1c34d9c-rbxPkgManifest[1].txt

Filesize
1KB

MD5
16c5225d832a4bf8d6541f5e2675a642

SHA1
779139629695c67f16a2bbba47d516aab52b4f7c

SHA256
3b69f842e04b6d090bb6d7f17ffc18d6044138d5ee0a41dcaacbd4d15da2baca

SHA512
a0d4c70aa842976f6cedebaf086d8d5253754375729c5bcac47567bfa9694275eeb76ab01bf15910c0e0def60203f009ac784ad9dd711ee1ffda8a5e2d2a465d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\PCClientBootstrapper[1].json

Filesize
2KB

MD5
f47efd2be737b7a273091d90dc20446c

SHA1
689d2c933298230188196513f2a2e93dd0a284c4

SHA256
29e01cde1afb607fe21427d0ef6eb91f494dcb2a976da013fceed6942ef989fa

SHA512
2a812f7d661b6ccc68a9df292c2f1f8dec2bc2b8fd60314ecb7b513eff5d65e71af316a41b12f0ec9b5d640d45b863f2388b2a35b798024dce6df3ae3f895a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\WindowsPlayer[1].json

Filesize
119B

MD5
656e84d9aabf9d220cb5e55b31b7342f

SHA1
056efaf69bdf7cca1a46fad28deeb087ec874e8a

SHA256
4db3c748fea88e1083848e2323152d116adda5400431191de3fdb08334232467

SHA512
27d4ce499895e52f316b7645ff869c8b74170ad20c484c7e8f51d12044bfc2b4a5a594ef381baba2cb6e01c93c0688666d8e6acac3afaeaef987a34c7c6bc996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-E624D386\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
71044866abd760632917f89ac39451ac

SHA1
feb7b02f1e7a3206698f8d3f2e554f0419a8f686

SHA256
460cd2ae6aecc2633e3b12e55a2d9071cbffcab21d371539f0b1a802d5cd8270

SHA512
98d741ee76e9cd082662be49c11b85408643dbfc39289f4194f0cb63d0d21cb3f986f28d2fc65600bbad4520e78cc57aca40fd43dd9cef3342f4b23565c67734

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-E624D386\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
71044866abd760632917f89ac39451ac

SHA1
feb7b02f1e7a3206698f8d3f2e554f0419a8f686

SHA256
460cd2ae6aecc2633e3b12e55a2d9071cbffcab21d371539f0b1a802d5cd8270

SHA512
98d741ee76e9cd082662be49c11b85408643dbfc39289f4194f0cb63d0d21cb3f986f28d2fc65600bbad4520e78cc57aca40fd43dd9cef3342f4b23565c67734

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBX-E624D386\RobloxPlayerLauncher.exe

Filesize
2.0MB

MD5
71044866abd760632917f89ac39451ac

SHA1
feb7b02f1e7a3206698f8d3f2e554f0419a8f686

SHA256
460cd2ae6aecc2633e3b12e55a2d9071cbffcab21d371539f0b1a802d5cd8270

SHA512
98d741ee76e9cd082662be49c11b85408643dbfc39289f4194f0cb63d0d21cb3f986f28d2fc65600bbad4520e78cc57aca40fd43dd9cef3342f4b23565c67734

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat

Filesize
40B

MD5
5dd48983d5f77cbd9e08e27c29afdae2

SHA1
a568bccef15ea257258aaf76ac9f7a50b9085dac

SHA256
9fb2b42280c7a67f1dce97d3f3d95787282ec1a1a24012e9a420fa95ea925846

SHA512
b3be4a16093f09faa1733d3b24f42424b38d9bcff2823f2eede4c5a50b2aac7e1ec41528c876b199263cd9b1e665360541cb2d371979c8ab6a8c5722a3363d85

Download Submit