c91803f5c89cc6b4c649f1a6dc85901208a0cf83cbe5d44c4e4800cc0e3b8fde

Resubmissions

03/09/2024, 02:27

240903-cxwsxavbrj 8

03/09/2024, 02:23

240903-cvjqkawcka 8

03/09/2024, 02:22

240903-ctyhbswbrg 6

03/09/2024, 02:10

240903-clxk3athln 8

Analysis

max time kernel
36s
max time network
37s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/09/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxStudioInstaller.exe
Size

5.5MB
MD5

24bcceca8b115ff5d0060b2d9def17c6
SHA1

a06ba5c1f6d64c9a95627c4b2291806d2b5cd300
SHA256

c91803f5c89cc6b4c649f1a6dc85901208a0cf83cbe5d44c4e4800cc0e3b8fde
SHA512

d0d5163a972860ae532d8d0f29d97a1a74796b94aec00d112e30efabc1139b1bb97c892afe7f3a69ef1323aa387a71ae006749e91f374ee93b465586ed6a913d
SSDEEP

98304:GylvpWmVc0qvvtCfSp1SeBg+zTqltWRBfKpph6Ubhh/a/:LpWachtCmpg+CWR4ppkUw

Score

6^/10

discovery evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxStudioInstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\ProgressBar.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\images\roundbutton-icon16.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Universal\plugins.qmltypes	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\TabButton.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Imagine\Button.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\CheckDelegate.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\SliderHandle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\MenuSeparator.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\BusyIndicatorSpecifics.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Dialogs\plugins.qmltypes	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Extras\Private\CircularButton.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtGraphicalEffects\LevelAdjust.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\TabView.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Base\images\scrollbar-handle-transient.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\ContainerSection.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Imagine\Drawer.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Imagine\RangeSlider.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQml\qmlplugin.dll	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Base\TreeViewStyle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\MenuBarItem.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\AbstractButtonSection.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtGraphicalEffects\qmldir	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Base\TableViewStyle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\TabBar.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Imagine\qmldir	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQml\StateMachine\qmldir	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Base\ApplicationWindowStyle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\images\[email protected]	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Imagine\Page.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Universal\Frame.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Dialogs\images\warning.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Flat\qtquickextrasflatplugin.dll	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\images\progressbar-icon.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Fusion\RangeSlider.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\ElevationEffect.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQml\Models.2\plugins.qmltypes	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Dialog.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\BusyIndicator.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\ComboBox.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Fusion\qtquickcontrols2fusionstyleplugin.dll	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Imagine\Pane.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\CursorDelegate.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Universal\RangeSlider.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Base\BusyIndicatorStyle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Base\ToggleButtonStyle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Desktop\TableViewStyle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\images\frame-icon.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Fusion\SliderHandle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Extras\Private\CircularButtonStyleHelper.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Private\CalendarUtils.js	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Base\images\button.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\ToolSeparator.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\ApplicationWindow.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Private\FocusFrame.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\ToolBarSpecifics.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Fusion\plugins.qmltypes	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\designer\images\swipeview-icon16.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\BoxShadow.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Material\RadioButton.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls.2\Universal\TabBar.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\ToolBar.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Base\images\knob.png	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Desktop\ToolBarStyle.qml	RobloxStudioInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-a8766ccdec1d49d3\Qml\QtQuick\Controls\Styles\Desktop\TextAreaStyle.qml	RobloxStudioInstaller.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxStudioInstaller.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxStudioInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxStudioInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698037960172233"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2992	RobloxStudioInstaller.exe
2992	RobloxStudioInstaller.exe
3424	chrome.exe
3424	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4948	3424	chrome.exe	84
PID 3424 wrote to memory of 4948	3424	chrome.exe	84
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 3908	3424	chrome.exe	85
PID 3424 wrote to memory of 4592	3424	chrome.exe	86
PID 3424 wrote to memory of 4592	3424	chrome.exe	86
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87
PID 3424 wrote to memory of 484	3424	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\RobloxStudioInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxStudioInstaller.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed180cc40,0x7ffed180cc4c,0x7ffed180cc58
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4076,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4564,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1040
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x250,0x254,0x258,0x230,0x25c,0x7ff762a54698,0x7ff762a546a4,0x7ff762a546b0
    3⤵
    - Drops file in Windows directory
    PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4600,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4584,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4672,i,3250132242405792285,5469819297856077528,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:1928

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
21355ff16a97b8a470a7e523dc0232b6

SHA1
1f27cd4e5048eda740cdb3dbb3d5b48aba79f762

SHA256
1c33bf00a093e022bbfeff7a686948862d4bef40229102957abd6f9688d18d05

SHA512
2698884c8df9ff18f2cf27ad65e96e2a84d074b1c8e6e6ffc05cd871f2bced8583819718b52645b03e9ba6a316e139afbb18ebf4a955626192465a7882e5de62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
11019948ead90786386916d779c644be

SHA1
c7020b9a80c39e30788b6626e9f0c037361a9d73

SHA256
91e770026c30f3f054f9840644faa7b47791aa18d5189bb64e300ad32923fa33

SHA512
79911b96aec53641707b50a77d2d142981e7d0fc17d946bc5838ad865687688b1dda286a6ea43a2fb87a01e0f93be4cbec12c2536364f2ab1295caa8e6f26cab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1862658e0ca7b3292c0d22838113b05f

SHA1
a3cf24d3ad082f0650a83a4cbf3e4dced1b75aa6

SHA256
51dd2072820c5c966359aaf257bc15f042a8900bb20fcf7c5fe33fa6cef90832

SHA512
0a9336cc4c30965ada65c79acf61a3f399566a0dccc98c1c85d3cb09ea127acfb437a4358c44b20001c1162acdd9b09ea72570de91ad0587f6bf71ffec97c43c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7f85f9aca1f77efcb7a3be4984928b21

SHA1
47f59e8d1a7af36e7175c3f18587fe449c0d8d4f

SHA256
fbe645c1f8f735782b7a4a5678051666b9283fc75a0e89d70cb83ab032d4929c

SHA512
eb365df169b7cd075141573979b03b61170d51ab977f1d25d88a49397df7058a751588fc54477b2e9cf845f586e0471e6c26ef9f5a0251f846ddd5473e9a2f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0688afa2f95341b6b11ca01e4d5ad2a

SHA1
e3b5c129b7d772ac039ef4ddff28fe80fc089121

SHA256
7f1c2834bfdaa714d37bf5a08c8d737fe8a782c212bb79d8dea8063c6f72ee72

SHA512
a2b2ec18e8a0711c5b10c88641b18ba3981999c08f9024f1bf156da76270f1b2542ac87aae1d854fcc0ed416a1667c6dc4673bc801cc05ecc7209a6cb270b129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5cb026940a93f4ff0fe03cfa9e03e17

SHA1
be739aad40fa98cacf3ba26c7c795684a8090879

SHA256
003c0244832ecb11b9b7ccade22b59c0c3536d89b7fdfa3f752b604ab9dc47ea

SHA512
144f86fa86329f5d05d9bc72517fd42f2da2c4dca574619c2e81eebfaaa460a4a82524070da6869114933984ca74f7055530f3ce39d4181ce19665666cdd57b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
96ac3dd18d2cbbc2082bff5e6f220d8b

SHA1
a8d617f5855413c878ed77343192319f550bc19b

SHA256
29ef75bf95d1aa6cf15778a6f9b2ca7d4797f20fbeeb1597fc1242f1e0950a8b

SHA512
b98555f86419d0e6311fd80eda3db29df596354f6bbc9645ec5183df313b39a1eb64e581fd9a9527835a356d882ff50afcf8deb23425e395a3a80ac2e1e6b4ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
3cf5e93e89bd186e4532f7ec52dcc783

SHA1
008f2bea5986f61a4541be6de3d5683d95e49ce7

SHA256
83b71c3889b3538196049878ce783500da0b5334aeda28d052b78b5f607d7538

SHA512
6d857d13cc69bc318852104fc7cc6bbdfb015ec9d0a43a412bf9dba9214fedf2f3a0011bd3d4dc899f6613a0fe8966649c1e6485e86d2cb0e83f73cd57df940f

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-studio\24bcceca8b115ff5d0060b2d9def17c6

Filesize
5.5MB

MD5
24bcceca8b115ff5d0060b2d9def17c6

SHA1
a06ba5c1f6d64c9a95627c4b2291806d2b5cd300

SHA256
c91803f5c89cc6b4c649f1a6dc85901208a0cf83cbe5d44c4e4800cc0e3b8fde

SHA512
d0d5163a972860ae532d8d0f29d97a1a74796b94aec00d112e30efabc1139b1bb97c892afe7f3a69ef1323aa387a71ae006749e91f374ee93b465586ed6a913d

Download Submit