fec985e0648a7d41c434c8fed666139090f7bb5df85939da743a1f8859765811

Analysis

max time kernel
42s
max time network
151s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerInstaller.exe
Size

5.5MB
MD5

6399cb94a0d00b72ffb53432cb26c891
SHA1

d18c3616da0c6807771c0d7e501e811a9f2e7ded
SHA256

fec985e0648a7d41c434c8fed666139090f7bb5df85939da743a1f8859765811
SHA512

5f06f6e235c1e1c68255cf34fa22713ddd8a8667d9584ba316358c785801a0d9ca68a93ff2c2b20d55bca5c0502a2edaa2a06a8f45fec2292b880725f8ee5097
SSDEEP

98304:bCvzi7JmlycwWDA64XNj4IdfgT2WXa12zRMBZo8X7xuHit:qzIJmldv4j3gT2czRaoW7xDt

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2228	RobloxPlayerInstaller.exe
2228	RobloxPlayerInstaller.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\MaterialManager\sphere.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\MaterialManager\sphere_model.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\animations\humanoidR15AnimateChildren.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\heads\headC.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\families\Jura.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\configs\DateTimeLocaleConfigs\ru-ru.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\AssetImporter\bonePreviewMesh.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\BuilderSans-Medium.otf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\IndieFlower-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\sky\cloudDetail3D-bc4.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\FredokaOne-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\MaterialManager\smooth_material_model.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\sky\clouds-bc4.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\configs\DateTimeLocaleConfigs\en-nz.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\configs\DateTimeLocaleConfigs\pt-pt.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\heads\headK.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\families\LuckiestGuy.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\configs\DateTimeLocaleConfigs\es-mx.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\AmaticSC-Bold.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\NotoSansKhmerUI-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\AvatarCompatibilityPreviewer\headPreview.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\GrenzeGotisch-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\SourceSansPro-Bold.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\MaterialManager\smooth_sphere.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\compositing\CompositExtraSlot2.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\heads\headG.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\scripts\humanoidAnimateR15Moods.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\Thumbnails\Mannequins\R15.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\sounds\impact_water.mp3	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\GothamSSm-Book.otf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\RomanAntique.otf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\families\PressStart2P.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\families\Fondamento.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\LayeredClothingEditor\mannequin_mock.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\compositing\R15CompositRightArmBase.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\Montserrat-Black.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\sounds\action_jump.mp3	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\SourceSansPro-Semibold.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\RigBuilder\AnthroRigs.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\configs\ReflectionLoggerConfig\EphemeralCounterWhitelistMock.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\compositing\CompositExtraSlot3.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\heads\head.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\shaders\keepme	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\configs\DateTimeLocaleConfigs\fr-fr.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\morpherEditorR6.rbxmx	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\Merriweather-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\JosefinSans-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\RigBuilder\RigBuilderGUI.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\character.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\RobloxEmoji.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\families\SourceSansPro.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\compositing\CompositTorsoBase.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\GrenzeGotisch-Bold.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\Roboto-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\NotoSansThaiUI-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\PressStart2P-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\defaultDynamicHead.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\ExtraContent\places\MobileChatPlace.rbxl	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\AccanthisADFStd-Regular.otf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\defaultPants.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\compositing\CompositExtraSlot1.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\sky\noise.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\NotoSansDevanagariUI-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\families\Balthazar.json	RobloxPlayerInstaller.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-aa7aa2777dc64b37"	RobloxPlayerInstaller.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2228	RobloxPlayerInstaller.exe
3068	chrome.exe
3068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2772	3068	chrome.exe	32
PID 3068 wrote to memory of 2772	3068	chrome.exe	32
PID 3068 wrote to memory of 2772	3068	chrome.exe	32
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2784	3068	chrome.exe	34
PID 3068 wrote to memory of 2028	3068	chrome.exe	35
PID 3068 wrote to memory of 2028	3068	chrome.exe	35
PID 3068 wrote to memory of 2028	3068	chrome.exe	35
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36
PID 3068 wrote to memory of 1868	3068	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66f9758,0x7fef66f9768,0x7fef66f9778
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:2
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1116 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:2
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1108 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3276 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3648 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3652 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3768 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 --field-trial-handle=1320,i,14724874338118858163,2373540894952107776,131072 /prefetch:8
  2⤵
  PID:1048

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2988

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
eb32dd397ce986fadff571440efe9693

SHA1
f30ef15dc56404c2de1331586c20bf649e8550d0

SHA256
2b79cc31d1ab1735c01cd03ef55355538c4d8441fc066a80674ec4e70f8b6164

SHA512
2f31c8bd55497b253fa64d402a4155b291320eae4b90ba2a5ccac239975ebb7ac47eaaf4d6bed3361acf7a03d531b8042e6c24ea1cbf4814d7c7bd4576bec7f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
dc47a4d7c0530d782388399743c33211

SHA1
5852834597d90913f369a3f5ed5b186c2f8fe7ff

SHA256
ea628fa0cc3abb9efa8d157264fa3c2f8823931a7440124350f9d9c323ae9642

SHA512
bf14feda3c0c12850d8c41288c116034dcf0592d29d651a216004e743477e38e5b7615444481a1cb019fc05938dd18f116a5887416bcbe538b75ab66645d844e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a58cc0acdbaaf380b8c62c8786a36555

SHA1
47827d2d87cfcc95ee08cb0e85345409b1ec132e

SHA256
58cbfa801bb39761d077bbf59e77ca9f7400c14fe06f4c4dbc3719632ce6c621

SHA512
d64a7a35020f43f56423e6ecd4157bc93ea8f0401763b2fc0cbd56166885c01e721485c5737378eccb1b4fe5faec7fb9fee39ef2df812c3e8e4ca77be915935b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b933cf51df23a4ab7f66f041a76f68f8

SHA1
815afc471d83a9835cc7f996b97c8cb6504d47f7

SHA256
0d65cd8ff837bb34d986ea7582d03ef4c00d5ba9fe0f050b9087e0ca2fc542ca

SHA512
bb8afd479b5d224346ebf9b8291ba806381445238add386baf01f521a692647a03bfd074da8ff07d8db0e5141a6ed1e39d2dbf7a70971f2d5e1b37b963a2a606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
de17af8c0de6905721f12e696dd5a69b

SHA1
1b5feed517bf61ed12f01d81f5db52a2426913ba

SHA256
b29b6d4fd08019df4004da1f85dd31f9f2482184a018f3d71792304c0433e667

SHA512
e7d3e2200edb0c99ee0853905771a001f0f6889feb13c5a94beb2c09cbfedad029326c8d107c23d4456fbcfa042deea1dd3b3f1117d9f9f645affde1ff5c5c74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cf926d9e3cbaeb61630984941927290f

SHA1
7a1c95f30aa23cecc4141c973a8b4f85768542dd

SHA256
670eee13dde5d6c66eb5469e7faf14b8ec438f766146af8b0371986259e5f7e8

SHA512
47aad7bd84ce2599058c0cc4a6a306e24d3d1582fec917085abc55114039a56b5630ff3b21d1eed148d1f5c3ce539d1a69eae1d7d66e19d91d245459b622f057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
5.5MB

MD5
24591f85e9569269a3b822d0da2e0626

SHA1
62641ade4943b93983b4e59ffd6ee4dcbd77c17e

SHA256
d29bcf294dd77568fd173adac8c705d991482d645127baccb7efca20f560a5a2

SHA512
d0bfe43ece2c598a12fe7d3f2cd12e0685b639aec0fc7a1bbdf0829b886c22208e4236500d8e6540d7faef1514769b87bbdc666602c5548649e50aa61f2077de

Download Submit