Analysis
-
max time kernel
593s -
max time network
598s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 03:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/u87dj71h247d5a6/Cheat_Engine_7.5.zip/file
Resource
win10v2004-20240226-en
General
-
Target
https://www.mediafire.com/file/u87dj71h247d5a6/Cheat_Engine_7.5.zip/file
Malware Config
Signatures
-
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\System32\wintrust.dll cheatengine-x86_64.exe -
Executes dropped EXE 4 IoCs
pid Process 3980 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe -
Loads dropped DLL 4 IoCs
pid Process 3980 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe -
Drops file in System32 directory 59 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM32\uxtheme.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\Wldp.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\ncrypt.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\combase.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\GDI32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\MSCTF.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\RPCRT4.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\user32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\gdi32full.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\shell32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\wsock32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\cryptbase.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\MSASN1.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\KERNEL32.DLL cheatengine-x86_64.exe File opened for modification C:\Windows\System32\ws2_32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\psapi.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\opengl32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\cryptnet.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\advapi32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx cheatengine-x86_64.exe File opened for modification C:\Windows\System32\shcore.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\apphelp.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\comdlg32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\UMPDC.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\bcrypt.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\imm32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\win32u.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\bcryptPrimitives.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\wintrust.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\msvcrt.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\ole32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\version.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\msimg32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\GPAPI.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\imagehlp.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\oleaut32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\msvcp_win.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\clbcatq.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\dbghelp.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\CRYPT32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\SHLWAPI.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\winmm.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\verifier.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\ucrtbase.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\sechost.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\wininet.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\CRYPTSP.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\NTASN1.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\IMM32.DLL cheatengine-x86_64.exe File opened for modification C:\Windows\system32\rsaenh.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\GLU32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\explorerframe.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\windows.storage.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\USER32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\KERNELBASE.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\powrprof.dll cheatengine-x86_64.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
pid Process 3980 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\AnimationEditor\icon_warning.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\StudioToolbox\AssetPreview\ReadyforSale.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\symbols\DLL\imm32.pdb cheatengine-x86_64.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\MenuBar\icon_leaderboard.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\symbols\dll\win32u.pdb cheatengine-x86_64.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\AnimationEditor\button_expand.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\AvatarImporter\img_dark_R15.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\particles\explosion01_smoke_color_new.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\StudioToolbox\AssetConfig\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\AppImageAtlas\img_set_3x_11.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\avatar\compositing\CompositLeftArmBase.mesh RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\particles\forcefield_vortex_main.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\StudioToolbox\AssetConfig\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\ScreenshotHud\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaApp\9-slice\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\StudioToolbox\AssetConfig\version.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\StudioToolbox\AssetPreview\rating_large.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\PlatformContent\pc\terrain\reflection.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaApp\graphic\gr-avatar-frame-36x36.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\avatar\compositing\CompositExtraSlot4.mesh RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaApp\icons\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\avatar\unification\AdapterReference.rbxm RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\AnimationEditor\FaceCaptureUI\Background.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\PlatformContent\pc\textures\sky\sky512_ft.tex RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\TerrainTools\mtrl_ground.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaChat\graphic\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\MaterialManager\Favorites.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\Controls\XboxController\ButtonSelect.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\VoiceChat\New\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ViewSelector\right_zh_cn.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaApp\graphic\gr-avatar mask-84x84.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\fonts\families\Montserrat.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\PlatformContent\pc\textures\water\normal_03.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\StudioSharedUI\RoundedCenterBorder.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\PlatformContent\pc\textures\woodplanks\diffuse.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\Settings\Players\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaApp\graphic\noconnection.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\configs\DateTimeLocaleConfigs\zh-tw.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\models\ViewSelector\ViewSelector.rbxm RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\PlatformContent\pc\textures\water\normal_23.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\StudioToolbox\ArrowDownIconWhite.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\TerrainTools\mtrl_air.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\Controls\DesignSystem\ButtonR2.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\VoiceChat\MicDark\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\CompositorDebugger\dot.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\DeveloperFramework\UIOn_light.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\DeveloperFramework\AssetPreview\close_button.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\TextureViewer\select.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\Menu\buttonHover.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\LayeredClothingEditor\WorkspaceIcons\Outer Cage.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\scrollbuttonDown_dn.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\AvatarImporter\img_dark_RthroNarrow.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\Controls\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\PurchasePrompt\LeftButton.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaApp\category\ic-top [email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaApp\icons\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\content\textures\ui\Controls\PlayStationController\PS4\ButtonTouchpad.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\PlatformContent\pc\fonts\NotoSansCJKjp-Regular.otf RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\ExtraContent\textures\ui\LuaChat\icons\[email protected] RobloxPlayerInstaller.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll cheatengine-x86_64.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player RobloxPlayerInstaller.exe -
Modifies registry class 31 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-94a1a798754e4385\\RobloxPlayerBeta.exe\" %1" RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\version = "version-94a1a798754e4385" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{39AFBDD3-3013-4306-9997-C5FCD989FB36} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-1c901af996da417b" RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\version = "version-94a1a798754e4385" RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-94a1a798754e4385\\RobloxPlayerBeta.exe\" %1" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1" RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-94a1a798754e4385\\RobloxPlayerBeta.exe" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe" RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-94a1a798754e4385\\RobloxPlayerBeta.exe" RobloxPlayerInstaller.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1376 RobloxPlayerInstaller.exe 1376 RobloxPlayerInstaller.exe 3980 RobloxPlayerBeta.exe 3980 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe 4268 cheatengine-x86_64.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4268 cheatengine-x86_64.exe Token: SeTcbPrivilege 4268 cheatengine-x86_64.exe Token: SeTcbPrivilege 4268 cheatengine-x86_64.exe Token: SeLoadDriverPrivilege 4268 cheatengine-x86_64.exe Token: SeCreateGlobalPrivilege 4268 cheatengine-x86_64.exe Token: SeLockMemoryPrivilege 4268 cheatengine-x86_64.exe Token: 33 4268 cheatengine-x86_64.exe Token: SeSecurityPrivilege 4268 cheatengine-x86_64.exe Token: SeTakeOwnershipPrivilege 4268 cheatengine-x86_64.exe Token: SeManageVolumePrivilege 4268 cheatengine-x86_64.exe Token: SeBackupPrivilege 4268 cheatengine-x86_64.exe Token: SeCreatePagefilePrivilege 4268 cheatengine-x86_64.exe Token: SeShutdownPrivilege 4268 cheatengine-x86_64.exe Token: SeRestorePrivilege 4268 cheatengine-x86_64.exe Token: 33 4268 cheatengine-x86_64.exe Token: SeIncBasePriorityPrivilege 4268 cheatengine-x86_64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4268 cheatengine-x86_64.exe -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 3980 RobloxPlayerBeta.exe 5976 RobloxPlayerBeta.exe 5752 RobloxPlayerBeta.exe 4440 RobloxPlayerBeta.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1376 wrote to memory of 3980 1376 RobloxPlayerInstaller.exe 171 PID 1376 wrote to memory of 3980 1376 RobloxPlayerInstaller.exe 171
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/u87dj71h247d5a6/Cheat_Engine_7.5.zip/file1⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=560 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:2480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5364 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5420 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:4928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5476 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:1500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:3460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5884 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:1652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6072 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6508 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:1160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6560 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:4104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6832 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:4136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6952 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:2124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=7092 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:1980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=4596 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:5296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:5368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=3704 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:5504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=7220 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:5760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=3652 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:5940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6100 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:5980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6036 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:6048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=6332 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:6124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=8188 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:2532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8348 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:5580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=7900 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:5536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=8636 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:5604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=8240 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:4132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=6596 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:3188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=8340 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:1084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=8700 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:4252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6692 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:3356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=5788 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5836 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:2788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8776 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵
- Modifies registry class
PID:2916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=6148 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=5704 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=5488 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:1308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=9036 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:4928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=9180 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:3700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=5760 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:2980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5844 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:2020
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:216
-
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\RobloxPlayerBeta.exe" -app -isInstallerLaunch2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3980
-
-
C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:5976
-
C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:5752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --mojo-platform-channel-handle=9208 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9388 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:1500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=8444 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:5440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:1376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9140 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:5816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --mojo-platform-channel-handle=6716 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:11⤵PID:1512
-
C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-94a1a798754e4385\RobloxPlayerBeta.exe" roblox-player:1+launchmode:play+gameinfo:RBMnRc9ah9vvcnWKQNSgiAdN1-wPHoswiq_BjyrakX0kp7EXTs2X-afaIQWwc9uuq9hg92WQJWKLrVEZcQiKAuQfnZ0cJOKYDruwTEQ5abwcNxg266FhC_h6efHNtxGNXIut3ZprI2wjK3GKXhTrOxv7ltGVk85uw0Tm8qRi-XFfu5DUjRRaUTmtbkzOksv1e11X0-lNkck0zGS4j0OKstvzjUJ6dG99hyNTX9Sl_ws+launchtime:1711422694735+placelauncherurl:https%3A%2F%2Fassetgame.roblox.com%2Fgame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D222029951706%26placeId%3D2753915549%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3D35a31f0d-1b64-4fe8-98ff-39294fb6be7c%26joinAttemptOrigin%3DPlayButton+browsertrackerid:222029951706+robloxLocale:en_us+gameLocale:en_us+channel:zexpvariantpublic+LaunchExp:InApp1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:4440
-
C:\Users\Admin\Downloads\Cheat Engine 7.5\Cheat Engine 7.5\cheatengine-x86_64.exe"C:\Users\Admin\Downloads\Cheat Engine 7.5\Cheat Engine 7.5\cheatengine-x86_64.exe"1⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD57a6739dd0625c7de5a06bc5f708bfedb
SHA11af1307cd6f2b3ca0145926411d3d82899db8dbc
SHA256a18674d704f9077e69bd99d5dc0cbfbcbb513e5e29478d795bdbc391d3df7900
SHA512d9afbc529d48a0fe02ccb7f2ad2d30351cca1bb1d86475ab9c6b3dd78ebaa669f06178e39a968848dc1b64e5c42ee47405acd916e6ff3fe49f5ec8cae5359e1c
-
Filesize
468KB
MD55e5b7dd6d00b2ddf38d2481ffe5ae0a1
SHA115d4db32b17a233ac04130db4be51c7630192392
SHA256ff413a1a990e45546f9f06c9407c37871e26db6374c187c364046bf4248fc957
SHA512e7e2a37ac98c18c2868bc648c9227f0217ceaa059528f4885750b68e475a3a349dacd2b9ac27166ccf9dac626d1a4940c34224f709f86036248f328d5fd0d5eb
-
Filesize
540KB
MD5c64fd44dc0f2d49ac4abce6ddad96bea
SHA117cad53a8acfed54be7a34368b6033fa9eecd1ca
SHA25693aac1dd7723e748f8507e8a9b6a3a211a82e2de20de9ee9898ad6caa4cc2a59
SHA512c0590d5e89a5fef86815da9100dffcd41ead8fa26534212545b7790fbbdbe6fe028a636b22cf49d36f3b48f6929eb2da1feb724fe852fc3ea0e60a0379fb2d37
-
Filesize
792KB
MD59b019a1259de5e3c033350b05610ce6e
SHA17d0092fa89b3f1481cc3662803a8e286773656f8
SHA2560ddbc5856a975a539314373c1663a3db4a0c59a013362956423354251c62e8ae
SHA5125384479f61371ea5a8ca3f72da6c78e9b6c9d66501176dabf22415a80d2647e54a06090d08ec00e3ce456a24dc6c5d2ad4d0251fbaa81fef2561db77e5ba48c0
-
Filesize
7.1MB
MD5b39b2bd619faebd879516cc708439885
SHA1c998ec7ca5963787380a517d27105bd9746f7074
SHA2563180558fb517b5cf3e8984e1ef8a65b149bef3e07f393e88b921431fa8455b60
SHA512355e57a0a9cd7df1472dc4df85ea25574dfbf5b9fd0fd8e1b45876fb0fe1c36c428041937f77656fd8cddab98f770ea57694e2760d5edcbaa826080212e34525
-
Filesize
832KB
MD59300b7dd4be1481cf2b0cd390d1fb2c0
SHA10b3fbb6a60304d6872a468eb90cc34b13f4ef942
SHA2560054ef037247f654ccad8dcf93a1bb993e37f18bbcd92b26c0c4d97f26a92f9b
SHA512dd54db0b58169ef05871566c7f3a3ba20e6b1d833dd61f9c7626378deafacf75642850fb1d34fe8ac09fc58f85cf406d604a7219411fd828464521b2830bdab6
-
Filesize
734KB
MD579078717590ec0d32cf00399cf0bff20
SHA160bfee29efd8667c14bfba86bd1d1a139332345b
SHA2564107af45cb3191f50d8ed4d1f566bf68dd4ba69e9a180329cc0d9a0df7ebe3bc
SHA51271bd1e807c2703e2ed3e88a48d05bdc8f29e0ada251e1f7e1ddfb86f1b7377bf6c2cc1185272297a378df1bc26ca533653b8cde460093a4c5e8047fc29d69a0a
-
Filesize
941KB
MD51885607aaf51171b796cc639e6bb90a1
SHA1620aec0d470ca9822865db8ddc7bdd18fbe58bea
SHA256d84b71bad5da669a1114ebcab171b4c2e4e26f328ce8f583128196f97db83861
SHA512639cbafa3ba97693b87821ef7126f4eb7884b53496e8853a22bb6319e0020a21c0e1ca934e904289dad3bbd996a8688fee87b4a20d244312753cff8a0193b807
-
Filesize
357KB
MD5da7c79924b41a5bd0da4c6fa1148be3c
SHA113a537d5ad4dd3e2eda985caa1a92c7aa0e59c6d
SHA256640363b8827d66627c2f713042d16a76b09c34fa8e749352f47053b01aabd6b4
SHA5123feb20d64fa8545bcaf949c237947a90d711b1e4258bd5fc7adb21337c19cb6dc5421c2a3f693b5a3a07c416b7e29b1c6fefa03e67c93b4014bbc43be31fd759
-
Filesize
1.3MB
MD572bb75e0724497e4d144ee7c0e2c8911
SHA1af8632593c74d63371c8a005699942d09f67303d
SHA256ba19d9a3778b4103f72ea20181bd8f2f7cfd61892ee060d61f3cd6b1cbc5fd54
SHA51250a89bb2009d5df1aad158c9b35873e8cbe42340b040f93f2f6ffbcbc7dd676ffc3fd59dbddee86618fc75bcb4c2afbd938744541df6784890249a30aa62f8a6
-
C:\Users\Admin\AppData\Local\Temp\Wheat Engine\{196B2ECB-40AA-4118-A8BB-154DA91E7B80}\ADDRESSES.FIRST
Filesize7B
MD5ecdf0684a14d5b747c245d659b5f33b1
SHA1fee7035409106461ca06d14236db42543aa042ee
SHA256631bdc5422d1339287bf86b7a204f35956f676d473b27879f304d608238c318d
SHA512e4cdd4b29e1a8cb4d1161a019a304122df5299d62001c3a03426d89b9b7f1fe69e3c3adff0bd036f333490d8673081da50b3165d44c4978e00980b4df7aa920d