e4978edbdc4952f6cc4e148f94e5028e5fd5253134a6ee5afedcb7c732026da5

Analysis

max time kernel
83s
max time network
162s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16-04-2023 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Mod Menu.exe
Size

86.8MB
MD5

26d088d71dfb2b64adfed821a03d91a2
SHA1

31f65cc0d5312c7323fdd9056ccc9c9df4fc8424
SHA256

203614112bb28070116344b4c63a75c12990c83abee247c9f11dffad8bc64354
SHA512

a9111be41a0bd6ac9097698aaf28cbce43088e8bc6a0b2b3ec1e679315bc7fc2a450ca509eab0e83423b64b17c55c602d715deee4615be95237519e219c89474
SSDEEP

1572864:/FgYdsOqAgEUgTEIbOZ+e0zJkJSQifKUoytRZBozRC+FF6RQOGL0j1+w7WG:SAs3vARbB1tyj4ZB0LcFSG

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\International\Geo\Nation	Roblox Mod Menu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\International\Geo\Nation	Roblox Mod Menu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\International\Geo\Nation	Roblox Mod Menu.exe

Executes dropped EXE 5 IoCs

pid	Process
5040	Roblox Mod Menu.exe
1684	Roblox Mod Menu.exe
2080	Roblox Mod Menu.exe
2124	Roblox Mod Menu.exe
3508	Roblox Mod Menu.exe

Loads dropped DLL 10 IoCs

pid	Process
5040	Roblox Mod Menu.exe
1684	Roblox Mod Menu.exe
1684	Roblox Mod Menu.exe
1684	Roblox Mod Menu.exe
1684	Roblox Mod Menu.exe
1684	Roblox Mod Menu.exe
1684	Roblox Mod Menu.exe
2080	Roblox Mod Menu.exe
2124	Roblox Mod Menu.exe
3508	Roblox Mod Menu.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	Roblox Mod Menu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox Mod Menu = "C:\\Users\\Admin\\AppData\\Roaming\\Roblox Mod Menu\\Roblox Mod Menu.exe"	Roblox Mod Menu.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Roblox Mod Menu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Roblox Mod Menu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Roblox Mod Menu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Roblox Mod Menu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Roblox Mod Menu.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid
4
4
4
4
4

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeShutdownPrivilege	3464	svchost.exe
Token: SeCreatePagefilePrivilege	3464	svchost.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeShutdownPrivilege	5040	Roblox Mod Menu.exe
Token: SeCreatePagefilePrivilege	5040	Roblox Mod Menu.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe
Token: SeLoadDriverPrivilege	3464	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2408	Roblox Mod Menu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 5040	2408	Roblox Mod Menu.exe	68
PID 2408 wrote to memory of 5040	2408	Roblox Mod Menu.exe	68
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 1684	5040	Roblox Mod Menu.exe	70
PID 5040 wrote to memory of 2080	5040	Roblox Mod Menu.exe	71
PID 5040 wrote to memory of 2080	5040	Roblox Mod Menu.exe	71
PID 5040 wrote to memory of 2124	5040	Roblox Mod Menu.exe	72
PID 5040 wrote to memory of 2124	5040	Roblox Mod Menu.exe	72
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79
PID 5040 wrote to memory of 3508	5040	Roblox Mod Menu.exe	79

C:\Users\Admin\AppData\Local\Temp\Roblox Mod Menu.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Mod Menu.exe"
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe
  "C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1352 --field-trial-handle=1592,i,9457657537854222872,1245897503243729572,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1684
- - C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef" --mojo-platform-channel-handle=1752 --field-trial-handle=1592,i,9457657537854222872,1245897503243729572,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2080
- - C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef" --app-user-model-id=roblox-mod-menu-nativefier-050aef --app-path="C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1984 --field-trial-handle=1592,i,9457657537854222872,1245897503243729572,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2124
- - C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe
    "C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef" --app-user-model-id=roblox-mod-menu-nativefier-050aef --app-path="C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\resources\app" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1592,i,9457657537854222872,1245897503243729572,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3508

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:1636

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:3488

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:360

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3464

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:2412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4260
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:4112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.0.1973777583\1034600523" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1656 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00ddaf22-0899-435a-ac31-1c2efad34a2a} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 1760 1ca4c71a258 gpu
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.1.1620783012\1930397755" -parentBuildID 20221007134813 -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b876728a-4ac3-4bcd-94c2-6e80a08c7377} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 2108 1ca4b60cf58 socket
    3⤵
    PID:4676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.2.746290255\1012151363" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3068 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53f69784-0b3f-43c8-bab6-7f4c26d80e19} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 2792 1ca4f640658 tab
    3⤵
    PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.3.1135059840\2110046043" -childID 2 -isForBrowser -prefsHandle 1300 -prefMapHandle 1076 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e1bb056-b70e-409c-b48f-1919780f9e6c} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 3336 1ca50454358 tab
    3⤵
    PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.4.1821312237\1440446726" -childID 3 -isForBrowser -prefsHandle 3604 -prefMapHandle 1068 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {616c2cd5-8d6e-4e47-8741-d623d550cf37} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 3796 1ca3ff65858 tab
    3⤵
    PID:2556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.5.1488028817\1936501730" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4884 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d04400-e1cd-4a0b-a775-b029cebd6696} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 4908 1ca51a42e58 tab
    3⤵
    PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.7.704329214\407682218" -childID 6 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0523ccd9-4cfc-4b2e-bef2-00843c4ad673} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 5124 1ca51fcd258 tab
    3⤵
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.6.1442430227\1113070476" -childID 5 -isForBrowser -prefsHandle 5052 -prefMapHandle 4848 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13f55e87-b001-463d-b62c-0cb774500624} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 5028 1ca51e21f58 tab
    3⤵
    PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp

Filesize
133KB

MD5
888a1dbbab629c870ad8cf1c043ac2b8

SHA1
e9e2d96808a0f61dd0b6382af5e5f62794552cb1

SHA256
17296ef6f10b8259a2978697e00808142236c4426fc8bf32be3fc4654dff0720

SHA512
c1acddb0ab2023f883eee70727bf5df927bf7ec278ad318b51f22c2f00bf8ca41d44d4192f77953a8f1bd7a54096dae2ebc84fa7746ef3b9f278ad5202292137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js

Filesize
6KB

MD5
fc03769491e92557713bff75b3dcae44

SHA1
a4f4687575dba8a950a014c93d8f9f086a2b68d6

SHA256
3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

SHA512
8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a9d4901270650ef04d5e142945963429

SHA1
4aa7b7b8941d4e8b8c70069c10191e5475a7cf5e

SHA256
da892667992b57e37780689799be43b3e4e82462e7b9f7765efa65df80555d29

SHA512
23e880266ba44040daa9970e2c3fadf1706d11b472c3747e13a590034b0f9320caf420df2173af9d54b8466779ca45a687589bd43e043946658a279c5a15b180

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\D3DCompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe

Filesize
142.1MB

MD5
c206a489223afc78c07540ee76474baf

SHA1
3f66e64cc50c70d74b246e4cb72fc64c86a65fa3

SHA256
21cd6d2a634e5502cb1b8f4800e55a5a588975ded9cecb3369a565dee97a6f1e

SHA512
2c4bc3a81a925546f25dd2c2e693dc5309f94b64fc274750b8672213f4bae0da2f436a1acbf9c0e8d3947061e9a02cf175b44d1afeb6eb05308bad2418ba7d07

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe

Filesize
142.1MB

MD5
c206a489223afc78c07540ee76474baf

SHA1
3f66e64cc50c70d74b246e4cb72fc64c86a65fa3

SHA256
21cd6d2a634e5502cb1b8f4800e55a5a588975ded9cecb3369a565dee97a6f1e

SHA512
2c4bc3a81a925546f25dd2c2e693dc5309f94b64fc274750b8672213f4bae0da2f436a1acbf9c0e8d3947061e9a02cf175b44d1afeb6eb05308bad2418ba7d07

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe

Filesize
142.1MB

MD5
c206a489223afc78c07540ee76474baf

SHA1
3f66e64cc50c70d74b246e4cb72fc64c86a65fa3

SHA256
21cd6d2a634e5502cb1b8f4800e55a5a588975ded9cecb3369a565dee97a6f1e

SHA512
2c4bc3a81a925546f25dd2c2e693dc5309f94b64fc274750b8672213f4bae0da2f436a1acbf9c0e8d3947061e9a02cf175b44d1afeb6eb05308bad2418ba7d07

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe

Filesize
142.1MB

MD5
c206a489223afc78c07540ee76474baf

SHA1
3f66e64cc50c70d74b246e4cb72fc64c86a65fa3

SHA256
21cd6d2a634e5502cb1b8f4800e55a5a588975ded9cecb3369a565dee97a6f1e

SHA512
2c4bc3a81a925546f25dd2c2e693dc5309f94b64fc274750b8672213f4bae0da2f436a1acbf9c0e8d3947061e9a02cf175b44d1afeb6eb05308bad2418ba7d07

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe

Filesize
142.1MB

MD5
c206a489223afc78c07540ee76474baf

SHA1
3f66e64cc50c70d74b246e4cb72fc64c86a65fa3

SHA256
21cd6d2a634e5502cb1b8f4800e55a5a588975ded9cecb3369a565dee97a6f1e

SHA512
2c4bc3a81a925546f25dd2c2e693dc5309f94b64fc274750b8672213f4bae0da2f436a1acbf9c0e8d3947061e9a02cf175b44d1afeb6eb05308bad2418ba7d07

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe

Filesize
142.1MB

MD5
c206a489223afc78c07540ee76474baf

SHA1
3f66e64cc50c70d74b246e4cb72fc64c86a65fa3

SHA256
21cd6d2a634e5502cb1b8f4800e55a5a588975ded9cecb3369a565dee97a6f1e

SHA512
2c4bc3a81a925546f25dd2c2e693dc5309f94b64fc274750b8672213f4bae0da2f436a1acbf9c0e8d3947061e9a02cf175b44d1afeb6eb05308bad2418ba7d07

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\Roblox Mod Menu.exe

Filesize
142.1MB

MD5
c206a489223afc78c07540ee76474baf

SHA1
3f66e64cc50c70d74b246e4cb72fc64c86a65fa3

SHA256
21cd6d2a634e5502cb1b8f4800e55a5a588975ded9cecb3369a565dee97a6f1e

SHA512
2c4bc3a81a925546f25dd2c2e693dc5309f94b64fc274750b8672213f4bae0da2f436a1acbf9c0e8d3947061e9a02cf175b44d1afeb6eb05308bad2418ba7d07

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\icudtl.dat

Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\libegl.dll

Filesize
460KB

MD5
961c060f241a7ae22e962c82d7803ef1

SHA1
0060b167e55db981c1588ca2074b8ca38b9a8153

SHA256
c8e8007d746df73edbf73cdff18c09bb756f43814978c84a28a72f95d0ac5dc9

SHA512
79539e0d0036124b59f94c6fec0c596e64c41626b9994ff7457f2f6b26e8f2648f93f63f6422c444eb3c8b803079f6ef1f52191980ea88de9d25c40b30547599

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\libglesv2.dll

Filesize
6.8MB

MD5
18d62249e5bd4fa1f66c95a9ee9eb275

SHA1
4ea5d8344a8fc09ed2bda4d3034c3c8410c85e91

SHA256
3299de173b3e5ce2f69476b77d96f6a758b2ccfdf3ad811902e5cd511c6888ff

SHA512
fa29557836e56f981249ee8500a8271a7795cbe2a4afb6abbbd57e4aa26c6b731d151258f093643bbfa18cd9adf706a9e4d532481c62d713b7f1a1045301dc07

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\locales\en-US.pak

Filesize
115KB

MD5
f982582f05ea5adf95d9258aa99c2aa5

SHA1
2f3168b09d812c6b9b6defc54390b7a833009abf

SHA256
4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d

SHA512
75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\resources.pak

Filesize
4.9MB

MD5
c7b17b0c9e6e6aad4ffd1d61c9200123

SHA1
63a46fc028304de3920252c0dab5aa0a8095ed7d

SHA256
574c67ecd1d07f863343c2ea2854b2d9b2def23f04ba97b67938e72c67799f66

SHA512
96d72485598a6f104e148a8384739939bf4b65054ddde015dd075d357bcc156130690e70f5f50ec915c22df3d0383b0f2fbac73f5de629d5ff8dab5a7533d12b

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\resources\app\icon.ico

Filesize
28KB

MD5
e718b557b56021745c64f924972e082a

SHA1
fd77644ba0e3e643fe31a9d8e8dabb43b1741342

SHA256
8b063509b751d03434b657a555a0a863573f0b7261d4ecf675f969fc4abb1514

SHA512
f528be23c02847bf8efd2eb8f04e02597a23aa4fee1e3f62ab35403eb2df89dbdb0695a7b41516ea5d5188d901dd9a1140727cec0e06599533ee578555940fb2

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\resources\app\lib\main.js

Filesize
495KB

MD5
d1bbee38f184cd44322a0bbae13d6b7d

SHA1
900c2362ed581436a7e0b5210ae1cc2fba769ca0

SHA256
3bc4df185354269c757e4c31414ded23866a6e5bb880b07e2ba22e1314281863

SHA512
6ca51132ff3e88c97005c626d913d263a9ed383e64803f66a980ce57e92e3bba16b3008b87480818476cde5979efea6bc2c1edb1472517a93d26d1bccb75d0a2

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\resources\app\lib\preload.js

Filesize
4KB

MD5
fa55c68c5f0b5a560604becb9df601fe

SHA1
0eeb7a10a9574238d6360ab895c78ddfdbca61ed

SHA256
317ea36e9119cd2024689687aaf927287213b5ec2909bb98c1ae87a01b49106e

SHA512
709da44b05879e4c1e8121e8c818e364bd6167d873529274d9ed63ea1b25a1ff4e9f501f11668a01677f9f610950a44b9fcbef99356d4c3cd9db51619d2dd9bd

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\resources\app\nativefier.json

Filesize
960B

MD5
b682af20dca7dea29bb873f88f631676

SHA1
1ca7d911be6893956768106db53c071c2acf736a

SHA256
f656493527494dea144dfcb886f654b88a6f631afb7b3cdaca1782e8bbf54d67

SHA512
65fc734c9edf6adc270905b16c72a42e55f6ae861cf9543134fca81521c291f20236220e3e40ec9d71423f0cd4dcad5cc76152932be75b3af87a6f64f28987c7

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\resources\app\package.json

Filesize
602B

MD5
cd6ebe19e6877a938f5066b77fa912b0

SHA1
9aeed87b6a7e2895a5afbc33c6f6ef6b93b3ec14

SHA256
df8bf90a3a5084509e768cb4db48b6bb68c284ed8cbe9cc1027467d5c791170d

SHA512
ca97c620abc086b30725b638388cb43a10432d6d637279ada29eea5d8f334455ba4173964f743dae6badc41b41285a556095e1dc1c6784e9367d137235366042

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\v8_context_snapshot.bin

Filesize
713KB

MD5
1270ddd6641f34d158ea05531a319ec9

SHA1
7d688b21acadb252ad8f175f64f5a3e44b483b0b

SHA256
47a8d799b55ba4c7a55498e0876521ad11cc2fa349665b11c715334a77f72b29

SHA512
710c18ef4e21aa6f666fa4f8d123b388c751e061b2197dae0332091fbef5bd216400c0f3bca8622f89e88733f23c66571a431eb3330dba87de1fc16979589e97

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\vk_swiftshader.dll

Filesize
4.5MB

MD5
fcec6c6fbc34cfd9a449af66364da381

SHA1
f6016b721dec138d75e9d542f3e2210a673ad52b

SHA256
738fe97f7fbafa6524f11cf0cf0999ca3aef752bed44e1179d589aae92937ed2

SHA512
26527975979e58870c3c365b9ab432b4b3af88ed606673971fba009489db4482a5ace0e122b8cf67de075c37174c7c423ee8e219cfb4c9a331be66bb8af9edf9

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Mod Menu\vulkan-1.dll

Filesize
854KB

MD5
8df5d7efc2d9092102e2a92e097a33be

SHA1
cc9801f6bd7e818b86fe4fb52752eadbdd859a7d

SHA256
8ee6e0d63b89d920dc627fca1af5f19653d51e8318adb064cc4f122576e780ce

SHA512
ee65444dcd37dff045826dc922dcc97ccd44d7ddfe373bcd971ce0facf91e13f3df07a1368fd6c49e63e8c5c19fc2fd669182f688e80d83804c534dd9d10f1da

Download Submit
C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
4cecc58dc4c51b625cd8667db8588f55

SHA1
7856fd51dc4815dfde937f5357f65fdc54cba1ef

SHA256
397ec890a7789d51fa5d6c39757b8dbd408a9a07fc7766ddf6d64662454c6f84

SHA512
6914196269da6fcf8f7faafccddcf13c5f595569c8722fe926c3a05015223e15a62c049b532eb790b474abd13814c0ed89fb03dad48e8e3d2c36873aa7ba434e

Download Submit
C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
a5feefb991ebb0c1859f2c1f1281e691

SHA1
040c2a8804de7725bdf3b5f7ea3efc585a6de098

SHA256
ff63eac1dfeac9fb8dee693e6ed9af5843900183ae051e41651ce9386170d2f5

SHA512
ac0577e5cc8e5717d447a370ab154c7a746519ccfb4754cda1cd896c3823b227bcdc17174da628e04d7d7532103638514d77743e43a89cadc45d56f28efdcf68

Download Submit
C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef\Network\Network Persistent State

Filesize
1KB

MD5
e7ad1def997f4e4c30db5eddda08c763

SHA1
266ff3c4456bbea0ebedc77c1d1a7544c0fae2ff

SHA256
88dcb9435d68cb173abd47006488f4417707b97c67b178d705616b7f23887ef4

SHA512
967ff88995884ce60af281e7b99a8e0fb5e364d6f2f924c48373f2a6fa5a367d5d6d4fedcae4827adfc56feac53b4a25667a01210a7ad135ace23dd9980ec29c

Download Submit
C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef\Network\Network Persistent State~RFe589cb8.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef\Network\TransportSecurity

Filesize
539B

MD5
d3f5567e979356dfeb206217f9469414

SHA1
751ad4bbe52940eac13611438336793b7bf084bf

SHA256
88394eb71db519502fa297552729dd83c8babd07003a71678bbe244809c6782b

SHA512
f173f3fc95d4712ee5173af5a24f36299d25d25479a7382a41a4633934c7b106b951b5c5a0a3ed3835c38541bd58297fe6cd6719772e72eaa3bab48c4a292ee3

Download Submit
C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef\Network\TransportSecurity

Filesize
371B

MD5
05859090c805081dd79aee273deb9943

SHA1
f22d1e5acf4bb11915d9a69c7fe0b8fe79ed62d9

SHA256
85bdd8e0e2eb1f01fa04be50950cb954127fe69c2f5ca7baf1544e2e17d2dd21

SHA512
b9fc99bb3036afce7214c1e638801952123f00da3028e920a2be066b4ab09af1bbd9c96db9e9cfc681a599b2412339f29394f5f1cb34cb63a1068e6a4c95ad22

Download Submit
C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef\Network\TransportSecurity~RFe58077d.TMP

Filesize
203B

MD5
29e0d53202cc909915cce9c2cd2352f1

SHA1
c1db9975ee9bf94c0dc6c7c9f2ef3bf99330b90a

SHA256
5e0502a82bcb615d20b4ae47c82b3b188eed502df4ae7ccbdf49f0505c8e706b

SHA512
6cb87cd5c8945281b9ea37313d047a9da264e3028bdcaa93d892cb2187f0f32ec7598a4669d75c1b6570ccd2c00d11f720d72951d3e65c86b2a53ef75b90f5f9

Download Submit
C:\Users\Admin\AppData\Roaming\roblox-mod-menu-nativefier-050aef\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\libEGL.dll

Filesize
460KB

MD5
961c060f241a7ae22e962c82d7803ef1

SHA1
0060b167e55db981c1588ca2074b8ca38b9a8153

SHA256
c8e8007d746df73edbf73cdff18c09bb756f43814978c84a28a72f95d0ac5dc9

SHA512
79539e0d0036124b59f94c6fec0c596e64c41626b9994ff7457f2f6b26e8f2648f93f63f6422c444eb3c8b803079f6ef1f52191980ea88de9d25c40b30547599

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\libGLESv2.dll

Filesize
6.8MB

MD5
18d62249e5bd4fa1f66c95a9ee9eb275

SHA1
4ea5d8344a8fc09ed2bda4d3034c3c8410c85e91

SHA256
3299de173b3e5ce2f69476b77d96f6a758b2ccfdf3ad811902e5cd511c6888ff

SHA512
fa29557836e56f981249ee8500a8271a7795cbe2a4afb6abbbd57e4aa26c6b731d151258f093643bbfa18cd9adf706a9e4d532481c62d713b7f1a1045301dc07

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\vk_swiftshader.dll

Filesize
4.5MB

MD5
fcec6c6fbc34cfd9a449af66364da381

SHA1
f6016b721dec138d75e9d542f3e2210a673ad52b

SHA256
738fe97f7fbafa6524f11cf0cf0999ca3aef752bed44e1179d589aae92937ed2

SHA512
26527975979e58870c3c365b9ab432b4b3af88ed606673971fba009489db4482a5ace0e122b8cf67de075c37174c7c423ee8e219cfb4c9a331be66bb8af9edf9

Download Submit
\Users\Admin\AppData\Roaming\Roblox Mod Menu\vulkan-1.dll

Filesize
854KB

MD5
8df5d7efc2d9092102e2a92e097a33be

SHA1
cc9801f6bd7e818b86fe4fb52752eadbdd859a7d

SHA256
8ee6e0d63b89d920dc627fca1af5f19653d51e8318adb064cc4f122576e780ce

SHA512
ee65444dcd37dff045826dc922dcc97ccd44d7ddfe373bcd971ce0facf91e13f3df07a1368fd6c49e63e8c5c19fc2fd669182f688e80d83804c534dd9d10f1da

Download Submit
memory/1684-384-0x00000211A9E90000-0x00000211A9EBD000-memory.dmp

Filesize
180KB

Download
memory/1684-351-0x00007FFFC17D0000-0x00007FFFC17D1000-memory.dmp

Filesize
4KB

Download
memory/2408-130-0x0000000000EA0000-0x0000000001182000-memory.dmp

Filesize
2.9MB

Download
memory/2408-319-0x0000000000EA0000-0x0000000001182000-memory.dmp

Filesize
2.9MB

Download
memory/2408-305-0x0000000000EA0000-0x0000000001182000-memory.dmp

Filesize
2.9MB

Download
memory/2408-129-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/3508-439-0x00007FFFC3900000-0x00007FFFC3901000-memory.dmp

Filesize
4KB

Download
memory/3508-481-0x0000022A3E880000-0x0000022A3E8AD000-memory.dmp

Filesize
180KB

Download
memory/3508-480-0x0000022A3E670000-0x0000022A3E678000-memory.dmp

Filesize
32KB

Download
memory/3508-438-0x00007FFFC1590000-0x00007FFFC1591000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads