asyncrat | 477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96

Analysis

max time kernel
54s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe
Size

7.5MB
MD5

947eabafe59955146fdb714a09e74896
SHA1

a229cea1a129676f7b7c3c7bc80a28e9c22268aa
SHA256

477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96
SHA512

814a1ed776ae4dbff873cb61e72cad9b71fd8f813e38b203b7a68f351627685320aadaccfee160d2faa2f2867c492ce2428d0331aebfed6eacdc950b618a1e98
SSDEEP

196608:TOIe9o8SdDSPvb9FLZmFZKPzs+l8By5k4SFn0r:yHm8Sd0FNm+bs2C4yn0r

Score

10^/10

asyncrat venom clients defense_evasion discovery rat trojan

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

178.117.80.225:3998

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0005000000022f2f-4.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe

Executes dropped EXE 3 IoCs

pid	Process
6028	Client.exe
4648	RobloxPlayerInstaller (2).exe
3168	RobloxPlayerBeta.exe

Loads dropped DLL 2 IoCs

pid	Process
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller (2).exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3168	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

pid	Process
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe
3168	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ViewSelector\left.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\LuaPackages\Packages\_Index\FoundationImages\FoundationImages\SpriteSheets\img_set_1x_1.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaApp\icons\ic-more-builders-club.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-ingame-12x12.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaChatV2\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\avatar\heads\headA.mesh	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\AnimationEditor\img_scalebar_arrows_border.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\ErrorIcon.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Backpack\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\MenuBar\icon_maximize.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\VoiceChat\MicLight\Unmuted0.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaChat\icons\ic-pin.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\CollisionGroupsEditor\ToolbarIcon.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\TerrainTools\import_toggleOn_dark.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Emotes\Small\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\VR\hoverPopupLeft.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaApp\icons\ic-more-catalog.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-ingame-14x14.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\AnimationEditor\img_scalebar_arrows.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\AnimationEditor\ScrollbarBottom.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\api-ms-win-core-processthreads-l1-1-1.dll	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\Controls\DesignSystem\ButtonR3.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\AnimationEditor\img_timetag_border.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\AvatarImporter\img_light_R15.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ControlsEmulator\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\Debugger\Breakpoints\server.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\Gamepad\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Slider-Fill-Center.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Backpack\Backpack_Down.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Controls\DesignSystem\ButtonL1.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaApp\graphic\profilemask_36.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaApp\icons\GameDetails\social\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaChatV2\actions_notificationOff.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Input\IntroMove.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\ImageSet\LuaApp\img_set_3x_2.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\InGameMenu\game_tiles_background.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\StudioToolbox\AssetPreview\vote_down.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\PlatformContent\pc\textures\water\normal_22.dds	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\AvatarExperience\PPEWidgetBackgroundDarkTheme.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\LayeredClothingEditor\SwitchButtonIcon.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\TopBar\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\AnimationEditor\button_zoom_default_right.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\particles\explosion01_smoke_alpha.dds	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\ui\VoiceChat\Misc\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\AvatarExperience\CircleCutoutLargeNoBorder.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaApp\graphic\gr-avatar [email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\sounds\action_falling.ogg	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\fonts\ComicNeue-Angular-Bold.ttf	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\DeveloperFramework\checkbox_unchecked_hover_dark.png	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\particles\sparkles_color.dds	RobloxPlayerInstaller (2).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\content\textures\SelfView\SelfView_icon_mic_disabled.png	RobloxPlayerInstaller (2).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller (2).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller (2).exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller (2).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller (2).exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-5a6b6797f4e04078\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\version = "version-5a6b6797f4e04078"	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-5a6b6797f4e04078\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-5a6b6797f4e04078\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-361fa88592b64089"	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-5a6b6797f4e04078\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller (2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerInstaller (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\version = "version-5a6b6797f4e04078"	RobloxPlayerInstaller (2).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3168	RobloxPlayerBeta.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6028	Client.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3168	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 6028	400	477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe	87
PID 400 wrote to memory of 6028	400	477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe	87
PID 400 wrote to memory of 4648	400	477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe	88
PID 400 wrote to memory of 4648	400	477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe	88
PID 400 wrote to memory of 4648	400	477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe	88
PID 4648 wrote to memory of 3168	4648	RobloxPlayerInstaller (2).exe	104
PID 4648 wrote to memory of 3168	4648	RobloxPlayerInstaller (2).exe	104

C:\Users\Admin\AppData\Local\Temp\477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe
"C:\Users\Admin\AppData\Local\Temp\477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller (2).exe
  "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller (2).exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 4648
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
7.7MB

MD5
a679a17f732d6c4e4799f4c2a5c00b4d

SHA1
79778557030a4ce1f0a31f1d93878c931bc932fa

SHA256
6472c6e314e51269d9455fbeddb982a6af07269420c23fbb09d2fbdbff49dcc5

SHA512
ee1843c3c4be3c1b82629d45432748b2e84c3025a19cf65fb9f80b6ac214a2d1411152a4ae196d5b02fe535bf6aecf2ee2a898f475394cc23815a30d81e679db

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\RobloxPlayerBeta.dll

Filesize
14.9MB

MD5
708a873f0b36b02b8e92f738d414b918

SHA1
4ca5646a00859ca875b93ab0b111265684a74c74

SHA256
485c0ed2fbbf74c7b18d95e4800da48f2bc90a030551ca21cb2060bf092e1679

SHA512
01af8f6e0cc2586382acaab92c094bbf9b6d735c0a1a9f2bed678e700026209331bc77d3541f6db462e5daf8846dc2f5779361dd7082ed17845386d177cb6a3d

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-5a6b6797f4e04078\WebView2Loader.dll

Filesize
154KB

MD5
577f05cd683ed0577f6c970ea57129e0

SHA1
aedf54a8976f0f8ff5588447c344595e3c468925

SHA256
7127f20daa0a0a74e120ab7423dd1b30c45908f8ee929f0c6cd2312b41c5bddf

SHA512
2d1aea243938a6a1289cf4efcd541f28ab370a85ef05ed27b7b6d81ce43cea671e06a0959994807923b1dfec3b382ee95bd6f9489b74bba59239601756082047

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\d3ce7ba8150c6b4ed1ad1212fd1c021a

Filesize
7.9MB

MD5
d3ce7ba8150c6b4ed1ad1212fd1c021a

SHA1
703ccb1beb53288f7d6da1294c5fd5a0e6e3a56a

SHA256
327f6d9ac087b0614239a9234981a015b09a108bdc0dd97a2ae72bb1ce6faa5f

SHA512
606d6a8bf1c51247f78b7a2ecff7027b08059814df54f40c461241cc9254d31df08d24f1f0b66570849ad84993baf7dce9c10e02f91071834ab8269e76e8ffa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
63KB

MD5
065916df76a29b60fae9879d48f6a23c

SHA1
39955f523f47653e72758e4a504ba2b28f65ae67

SHA256
281246ed2415cc6b47bdaa3af0910a7f0fc97a854e4b146a88469b97225bda9b

SHA512
dbf17e5ed7cc22b80ccc2626dc33206d207432bc18693e51d7ecf86a93b2a8ebfc25842fecdbe69d1379bc3218f4a0017dd75bb5abc60e244465d37a15abb133

Download Submit
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller (2).exe

Filesize
7.4MB

MD5
443df84258f3cc21efb5ad185ed2fe4f

SHA1
22dc3b0c04ff55dca5a93856a1ff30cea6e5e7e8

SHA256
b982252fef5780ca193d07fb2754f721ef7869c2d583a09217b8d3c1e6d2ef49

SHA512
1e82a58c1ea297f761d4e1f85f45d16aa91d71bddc9df539c5e19e04f714f19353258337d6640b3c9bc51a77ed4fc2bffd0aa40102ec69eb30b01af859c5a1e0

Download Submit
memory/3168-129-0x00007FFAF28F0000-0x00007FFAF2900000-memory.dmp

Filesize
64KB

Download
memory/3168-146-0x00007FFAF42F0000-0x00007FFAF42FB000-memory.dmp

Filesize
44KB

Download
memory/3168-148-0x00007FFAF42F0000-0x00007FFAF42FB000-memory.dmp

Filesize
44KB

Download
memory/3168-114-0x00007FFAF4CF0000-0x00007FFAF4D20000-memory.dmp

Filesize
192KB

Download
memory/3168-113-0x00007FFAF4CF0000-0x00007FFAF4D20000-memory.dmp

Filesize
192KB

Download
memory/3168-112-0x00007FFAF4CF0000-0x00007FFAF4D20000-memory.dmp

Filesize
192KB

Download
memory/3168-111-0x00007FFAF4CF0000-0x00007FFAF4D20000-memory.dmp

Filesize
192KB

Download
memory/3168-108-0x00007FFAF4B90000-0x00007FFAF4BA0000-memory.dmp

Filesize
64KB

Download
memory/3168-109-0x00007FFAF4CA0000-0x00007FFAF4CB0000-memory.dmp

Filesize
64KB

Download
memory/3168-117-0x00007FFAF40B0000-0x00007FFAF40C0000-memory.dmp

Filesize
64KB

Download
memory/3168-119-0x00007FFAF4140000-0x00007FFAF4150000-memory.dmp

Filesize
64KB

Download
memory/3168-124-0x00007FFAF4160000-0x00007FFAF4170000-memory.dmp

Filesize
64KB

Download
memory/3168-123-0x00007FFAF4160000-0x00007FFAF4170000-memory.dmp

Filesize
64KB

Download
memory/3168-121-0x00007FFAF4160000-0x00007FFAF4170000-memory.dmp

Filesize
64KB

Download
memory/3168-122-0x00007FFAF4160000-0x00007FFAF4170000-memory.dmp

Filesize
64KB

Download
memory/3168-125-0x00007FFAF4160000-0x00007FFAF4170000-memory.dmp

Filesize
64KB

Download
memory/3168-118-0x00007FFAF40B0000-0x00007FFAF40C0000-memory.dmp

Filesize
64KB

Download
memory/3168-120-0x00007FFAF4140000-0x00007FFAF4150000-memory.dmp

Filesize
64KB

Download
memory/3168-131-0x00007FFAF2A60000-0x00007FFAF2A90000-memory.dmp

Filesize
192KB

Download
memory/3168-130-0x00007FFAF2A60000-0x00007FFAF2A90000-memory.dmp

Filesize
192KB

Download
memory/3168-134-0x00007FFAF2A60000-0x00007FFAF2A90000-memory.dmp

Filesize
192KB

Download
memory/3168-141-0x00007FFAF43B0000-0x00007FFAF43BE000-memory.dmp

Filesize
56KB

Download
memory/3168-140-0x00007FFAF43B0000-0x00007FFAF43BE000-memory.dmp

Filesize
56KB

Download
memory/3168-139-0x00007FFAF43B0000-0x00007FFAF43BE000-memory.dmp

Filesize
56KB

Download
memory/3168-138-0x00007FFAF43B0000-0x00007FFAF43BE000-memory.dmp

Filesize
56KB

Download
memory/3168-137-0x00007FFAF43B0000-0x00007FFAF43BE000-memory.dmp

Filesize
56KB

Download
memory/3168-136-0x00007FFAF4300000-0x00007FFAF4310000-memory.dmp

Filesize
64KB

Download
memory/3168-135-0x00007FFAF4300000-0x00007FFAF4310000-memory.dmp

Filesize
64KB

Download
memory/3168-133-0x00007FFAF2A60000-0x00007FFAF2A90000-memory.dmp

Filesize
192KB

Download
memory/3168-132-0x00007FFAF2A60000-0x00007FFAF2A90000-memory.dmp

Filesize
192KB

Download
memory/3168-110-0x00007FFAF4CA0000-0x00007FFAF4CB0000-memory.dmp

Filesize
64KB

Download
memory/3168-128-0x00007FFAF28F0000-0x00007FFAF2900000-memory.dmp

Filesize
64KB

Download
memory/3168-115-0x00007FFAF4CF0000-0x00007FFAF4D20000-memory.dmp

Filesize
192KB

Download
memory/3168-116-0x00007FFAF4D80000-0x00007FFAF4D85000-memory.dmp

Filesize
20KB

Download
memory/3168-153-0x00007FFAF23E0000-0x00007FFAF2406000-memory.dmp

Filesize
152KB

Download
memory/3168-145-0x00007FFAF42F0000-0x00007FFAF42FB000-memory.dmp

Filesize
44KB

Download
memory/3168-144-0x00007FFAF42F0000-0x00007FFAF42FB000-memory.dmp

Filesize
44KB

Download
memory/3168-143-0x00007FFAF42D0000-0x00007FFAF42E0000-memory.dmp

Filesize
64KB

Download
memory/3168-142-0x00007FFAF42D0000-0x00007FFAF42E0000-memory.dmp

Filesize
64KB

Download
memory/3168-127-0x00007FFAF27E0000-0x00007FFAF27F0000-memory.dmp

Filesize
64KB

Download
memory/3168-126-0x00007FFAF27E0000-0x00007FFAF27F0000-memory.dmp

Filesize
64KB

Download
memory/3168-147-0x00007FFAF42F0000-0x00007FFAF42FB000-memory.dmp

Filesize
44KB

Download
memory/3168-169-0x00007FFAF2BB0000-0x00007FFAF2BD2000-memory.dmp

Filesize
136KB

Download
memory/3168-168-0x00007FFAF2BB0000-0x00007FFAF2BD2000-memory.dmp

Filesize
136KB

Download
memory/3168-167-0x00007FFAF2BB0000-0x00007FFAF2BD2000-memory.dmp

Filesize
136KB

Download
memory/3168-166-0x00007FFAF2BB0000-0x00007FFAF2BD2000-memory.dmp

Filesize
136KB

Download
memory/3168-165-0x00007FFAF2BB0000-0x00007FFAF2BD2000-memory.dmp

Filesize
136KB

Download
memory/3168-164-0x00007FFAF2570000-0x00007FFAF2597000-memory.dmp

Filesize
156KB

Download
memory/3168-159-0x00007FFAF2570000-0x00007FFAF2597000-memory.dmp

Filesize
156KB

Download
memory/3168-162-0x00007FFAF2570000-0x00007FFAF2597000-memory.dmp

Filesize
156KB

Download
memory/3168-161-0x00007FFAF2570000-0x00007FFAF2597000-memory.dmp

Filesize
156KB

Download
memory/3168-160-0x00007FFAF2570000-0x00007FFAF2597000-memory.dmp

Filesize
156KB

Download
memory/3168-158-0x00007FFAF2570000-0x00007FFAF2597000-memory.dmp

Filesize
156KB

Download
memory/3168-157-0x00007FFAF23E0000-0x00007FFAF2406000-memory.dmp

Filesize
152KB

Download
memory/3168-156-0x00007FFAF23E0000-0x00007FFAF2406000-memory.dmp

Filesize
152KB

Download
memory/3168-163-0x00007FFAF2570000-0x00007FFAF2597000-memory.dmp

Filesize
156KB

Download
memory/3168-150-0x00007FFAF22B0000-0x00007FFAF22C0000-memory.dmp

Filesize
64KB

Download
memory/3168-155-0x00007FFAF23E0000-0x00007FFAF2406000-memory.dmp

Filesize
152KB

Download
memory/3168-154-0x00007FFAF23E0000-0x00007FFAF2406000-memory.dmp

Filesize
152KB

Download
memory/3168-152-0x00007FFAF23B0000-0x00007FFAF23C0000-memory.dmp

Filesize
64KB

Download
memory/3168-151-0x00007FFAF23B0000-0x00007FFAF23C0000-memory.dmp

Filesize
64KB

Download
memory/3168-149-0x00007FFAF22B0000-0x00007FFAF22C0000-memory.dmp

Filesize
64KB

Download
memory/3168-107-0x00007FFAF4B90000-0x00007FFAF4BA0000-memory.dmp

Filesize
64KB

Download
memory/4648-26-0x00000000071E0000-0x0000000007220000-memory.dmp

Filesize
256KB

Download
memory/6028-11-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/6028-13-0x00007FFAD6693000-0x00007FFAD6695000-memory.dmp

Filesize
8KB

Download