5eac06573fb9289a5ad1dfa8b88d2d7b79f1bd89e61c53247f8cae50143e7a2c

Resubmissions

30-06-2024 01:09

240630-bh97ba1eka 8

30-06-2024 01:08

240630-bhqgxa1dra 8

29-06-2024 23:24

240629-3dznkaygrh 10

Analysis

max time kernel
1745s
max time network
1176s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerInstaller.exe
Size

5.4MB
MD5

84e67989f7ccd11c2b7db38f3d3443b8
SHA1

c3e821de715aa7508b3273de16c9156014d81922
SHA256

5eac06573fb9289a5ad1dfa8b88d2d7b79f1bd89e61c53247f8cae50143e7a2c
SHA512

d0ea7235f591f31edeb7183c91fb0bb1347a9386c170c43b21e2c5fd93b7040e73e1a1a9f3ef6f83d097b1af0f9e2a9938dd59ae47588940491da25248eb7d99
SSDEEP

98304:JDvBVrrsYuyzh6E1auhHgVZirlmxJLCCQa/BHA2ujaQ:JbrrBdb7gVxLCk/xPtQ

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	RobloxPlayerBeta.exe

Loads dropped DLL 1 IoCs

pid	Process
2144	RobloxPlayerBeta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2144	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\TerrainTools\mt_convert_part.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Chat\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\TopBar\moreOff.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\icons\GameDetails\social\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\PlayerList\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\models\RigBuilder\AnthroRigs.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\avatar\compositing\CompositLeftLegBase.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\LayeredClothingEditor\WorkspaceIcons\Auto-Weight.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\AssetConfig\restore.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\AppImageAtlas\img_set_2x_14.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\Controls\DesignSystem\ButtonControls.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\PurchasePrompt\SingleButton.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\PlatformContent\pc\textures\water\normal_19.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\sounds\action_footsteps_plastic.mp3	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\AnimationEditor\img_dark_scrubberhead.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\DeveloperFramework\UIOff_dark.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\DefaultController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Settings\Radial\Leave.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\AssetConfig\rejected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\LegacyRbxGui\scroll.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\VoiceChat\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\RoactStudioWidgets\slider_handle_light.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\TerrainTools\icon_shape_cube.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\ImageSet\LuaApp\img_set_3x_1.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\Cursors\CrossMouseIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\VR\notifications.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\Controls\DesignSystem\Thumbstick2Horizontal.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\TerrainTools\mt_erode.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Settings\Help\GenericController.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\models\ViewSelector\Axis.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\PlayStationController\ButtonL3.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaDiscussions\buttonFill.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\fonts\AmaticSC-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\LayeredClothingEditor\Default_Preview_Clothing.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\SelectionBox.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\InGameMenu\CircleCutout.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaChatV2\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Vehicle\SpeedBarEmpty.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\VoiceChat\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\fonts\Inconsolata-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\AnimationEditor\icon_error.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\DefaultController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\ScreenshotHud\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\fonts\Montserrat-Bold.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Input\Disk_padded.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\configs\ReflectionLoggerConfig\EphemeralCounterWhitelistMock.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\AnimationEditor\img_triangle.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\SelfView\SelfView_icon_indicator_off.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\InspectMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\PlayerList\FollowingIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Settings\Radial\EmptyTop.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\fonts\families\PressStart2P.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\PlayStationController\PS5\[email protected]	RobloxPlayerInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1088f3c8e4a44cc7\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\version = "version-1088f3c8e4a44cc7"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1088f3c8e4a44cc7\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-034c0d4a0a9b44cc"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1088f3c8e4a44cc7\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\version = "version-1088f3c8e4a44cc7"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1088f3c8e4a44cc7\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3948	RobloxPlayerInstaller.exe
3948	RobloxPlayerInstaller.exe
2144	RobloxPlayerBeta.exe
2144	RobloxPlayerBeta.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2144	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 2144	3948	RobloxPlayerInstaller.exe	96
PID 3948 wrote to memory of 2144	3948	RobloxPlayerInstaller.exe	96

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.exe" -app -isInstallerLaunch
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
5.4MB

MD5
4fa63f4ccb9b1fca93ab82e51c6d4750

SHA1
1f26018c15ed5e14140ed44c28cf52a7b892fc86

SHA256
685f8b14eb645f892a666cf61cf691d086fe0d3e344a245323f1fe75034869fb

SHA512
a25031fb2afe1baebe9b46266192574c6c73b7fcd8e3e2897873d97b3f6232c5228fa4f633b1df98b9410808d5afe1dd470cd8f3f6dbc0c52526311b769554ab

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.dll

Filesize
16.7MB

MD5
6dfc619af29b1bce46cc55f2f1dd82e4

SHA1
e39ccb51a7e456df074f505193f7371046a51c29

SHA256
72e88ee5395bc66d252042e2fa975a39cff8c3ed2152ba661aacf6b997ba755d

SHA512
379e38a57b17cc417e949ff4ead79980d0b6829f33774d5b0e7a2e36c9247686b12a3c0915123f68e891310a594672ade26d247946213919b7ab972ec6eae495

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\b022682dd39d113f2d5a65a172dbd28f

Filesize
5.8MB

MD5
b022682dd39d113f2d5a65a172dbd28f

SHA1
aa874df3d3d0a9539c53a8a0c96c4c119bae2c52

SHA256
47a2e8bbef18d5491be3c449d9a5464a8804d9d1a85bc7e24ff80876e85104a3

SHA512
d6746ca7c1e10b1ed7fb48d857210ce5cd0f0542c81fdbf00a6afaf4607f30020ccc09f4c41ef9f50bc2562bf6e4380e7abaef1d5a5b1e91773281bcd9e58525

Download Submit
memory/2144-74-0x00007FF9CF140000-0x00007FF9CF150000-memory.dmp

Filesize
64KB

Download
memory/2144-80-0x00007FF9CF220000-0x00007FF9CF225000-memory.dmp

Filesize
20KB

Download
memory/2144-78-0x00007FF9CF190000-0x00007FF9CF1C0000-memory.dmp

Filesize
192KB

Download
memory/2144-77-0x00007FF9CF190000-0x00007FF9CF1C0000-memory.dmp

Filesize
192KB

Download
memory/2144-76-0x00007FF9CF190000-0x00007FF9CF1C0000-memory.dmp

Filesize
192KB

Download
memory/2144-75-0x00007FF9CF190000-0x00007FF9CF1C0000-memory.dmp

Filesize
192KB

Download
memory/2144-79-0x00007FF9CF190000-0x00007FF9CF1C0000-memory.dmp

Filesize
192KB

Download
memory/2144-73-0x00007FF9CF140000-0x00007FF9CF150000-memory.dmp

Filesize
64KB

Download
memory/2144-72-0x00007FF9CF030000-0x00007FF9CF040000-memory.dmp

Filesize
64KB

Download
memory/2144-71-0x00007FF9CF030000-0x00007FF9CF040000-memory.dmp

Filesize
64KB

Download
memory/2144-86-0x00007FF9CE8E0000-0x00007FF9CE8F0000-memory.dmp

Filesize
64KB

Download
memory/2144-85-0x00007FF9CE8E0000-0x00007FF9CE8F0000-memory.dmp

Filesize
64KB

Download
memory/2144-84-0x00007FF9CE8C0000-0x00007FF9CE8D0000-memory.dmp

Filesize
64KB

Download
memory/2144-83-0x00007FF9CE8C0000-0x00007FF9CE8D0000-memory.dmp

Filesize
64KB

Download
memory/2144-82-0x00007FF9CE830000-0x00007FF9CE840000-memory.dmp

Filesize
64KB

Download
memory/2144-81-0x00007FF9CE830000-0x00007FF9CE840000-memory.dmp

Filesize
64KB

Download
memory/2144-89-0x00007FF9CE8E0000-0x00007FF9CE8F0000-memory.dmp

Filesize
64KB

Download
memory/2144-88-0x00007FF9CE8E0000-0x00007FF9CE8F0000-memory.dmp

Filesize
64KB

Download
memory/2144-87-0x00007FF9CE8E0000-0x00007FF9CE8F0000-memory.dmp

Filesize
64KB

Download
memory/2144-96-0x00007FF9CCCB0000-0x00007FF9CCCE0000-memory.dmp

Filesize
192KB

Download
memory/2144-98-0x00007FF9CCCB0000-0x00007FF9CCCE0000-memory.dmp

Filesize
192KB

Download
memory/2144-97-0x00007FF9CCCB0000-0x00007FF9CCCE0000-memory.dmp

Filesize
192KB

Download
memory/2144-120-0x00007FF9CC9D0000-0x00007FF9CC9F6000-memory.dmp

Filesize
152KB

Download
memory/2144-118-0x00007FF9CC9D0000-0x00007FF9CC9F6000-memory.dmp

Filesize
152KB

Download
memory/2144-135-0x00007FF9CF190000-0x00007FF9CF1C0000-memory.dmp

Filesize
192KB

Download
memory/2144-134-0x00007FF9CF020000-0x00007FF9CF021000-memory.dmp

Filesize
4KB

Download
memory/2144-133-0x00007FF9CCA00000-0x00007FF9CCA22000-memory.dmp

Filesize
136KB

Download
memory/2144-132-0x00007FF9CCA00000-0x00007FF9CCA22000-memory.dmp

Filesize
136KB

Download
memory/2144-131-0x00007FF9CCA00000-0x00007FF9CCA22000-memory.dmp

Filesize
136KB

Download
memory/2144-130-0x00007FF9CCA00000-0x00007FF9CCA22000-memory.dmp

Filesize
136KB

Download
memory/2144-129-0x00007FF9CCA00000-0x00007FF9CCA22000-memory.dmp

Filesize
136KB

Download
memory/2144-128-0x00007FF9CCFB0000-0x00007FF9CCFD7000-memory.dmp

Filesize
156KB

Download
memory/2144-127-0x00007FF9CCFB0000-0x00007FF9CCFD7000-memory.dmp

Filesize
156KB

Download
memory/2144-126-0x00007FF9CCFB0000-0x00007FF9CCFD7000-memory.dmp

Filesize
156KB

Download
memory/2144-125-0x00007FF9CCFB0000-0x00007FF9CCFD7000-memory.dmp

Filesize
156KB

Download
memory/2144-124-0x00007FF9CCFB0000-0x00007FF9CCFD7000-memory.dmp

Filesize
156KB

Download
memory/2144-123-0x00007FF9CCFB0000-0x00007FF9CCFD7000-memory.dmp

Filesize
156KB

Download
memory/2144-122-0x00007FF9CCFB0000-0x00007FF9CCFD7000-memory.dmp

Filesize
156KB

Download
memory/2144-117-0x00007FF9CC9D0000-0x00007FF9CC9F6000-memory.dmp

Filesize
152KB

Download
memory/2144-116-0x00007FF9CC9A0000-0x00007FF9CC9B0000-memory.dmp

Filesize
64KB

Download
memory/2144-115-0x00007FF9CC9A0000-0x00007FF9CC9B0000-memory.dmp

Filesize
64KB

Download
memory/2144-114-0x00007FF9CC8A0000-0x00007FF9CC8B0000-memory.dmp

Filesize
64KB

Download
memory/2144-113-0x00007FF9CC8A0000-0x00007FF9CC8B0000-memory.dmp

Filesize
64KB

Download
memory/2144-112-0x00007FF9CE530000-0x00007FF9CE53B000-memory.dmp

Filesize
44KB

Download
memory/2144-111-0x00007FF9CE530000-0x00007FF9CE53B000-memory.dmp

Filesize
44KB

Download
memory/2144-110-0x00007FF9CE530000-0x00007FF9CE53B000-memory.dmp

Filesize
44KB

Download
memory/2144-109-0x00007FF9CE530000-0x00007FF9CE53B000-memory.dmp

Filesize
44KB

Download
memory/2144-108-0x00007FF9CE530000-0x00007FF9CE53B000-memory.dmp

Filesize
44KB

Download
memory/2144-107-0x00007FF9CE510000-0x00007FF9CE520000-memory.dmp

Filesize
64KB

Download
memory/2144-106-0x00007FF9CE510000-0x00007FF9CE520000-memory.dmp

Filesize
64KB

Download
memory/2144-105-0x00007FF9CECE0000-0x00007FF9CECEE000-memory.dmp

Filesize
56KB

Download
memory/2144-104-0x00007FF9CECE0000-0x00007FF9CECEE000-memory.dmp

Filesize
56KB

Download
memory/2144-103-0x00007FF9CECE0000-0x00007FF9CECEE000-memory.dmp

Filesize
56KB

Download
memory/2144-102-0x00007FF9CECE0000-0x00007FF9CECEE000-memory.dmp

Filesize
56KB

Download
memory/2144-119-0x00007FF9CC9D0000-0x00007FF9CC9F6000-memory.dmp

Filesize
152KB

Download
memory/2144-101-0x00007FF9CECE0000-0x00007FF9CECEE000-memory.dmp

Filesize
56KB

Download
memory/2144-100-0x00007FF9CEC30000-0x00007FF9CEC40000-memory.dmp

Filesize
64KB

Download
memory/2144-99-0x00007FF9CEC30000-0x00007FF9CEC40000-memory.dmp

Filesize
64KB

Download
memory/2144-95-0x00007FF9CCCB0000-0x00007FF9CCCE0000-memory.dmp

Filesize
192KB

Download
memory/2144-94-0x00007FF9CCCB0000-0x00007FF9CCCE0000-memory.dmp

Filesize
192KB

Download
memory/2144-93-0x00007FF9CCB40000-0x00007FF9CCB50000-memory.dmp

Filesize
64KB

Download
memory/2144-92-0x00007FF9CCB40000-0x00007FF9CCB50000-memory.dmp

Filesize
64KB

Download
memory/2144-91-0x00007FF9CCA30000-0x00007FF9CCA40000-memory.dmp

Filesize
64KB

Download
memory/2144-90-0x00007FF9CCA30000-0x00007FF9CCA40000-memory.dmp

Filesize
64KB

Download