asyncrat | b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5

Analysis

max time kernel
55s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2025, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe
Size

7.5MB
MD5

d7a4872df076123cffaa9d4088c6c9c2
SHA1

672ffdc2435f45707337d281da14c0675bdfa1be
SHA256

b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5
SHA512

c8eb46cf3d76f7fad8d43390208365a6ff2320664275df7b91427e1ea06e75c5e35791d1e38eb9b45425740f5590538ddc6590e0a75f1e2ef2c11a6811d62912
SSDEEP

98304:7XvvXbqLcfF4SNvJ7JuDjjCD2W8zhFxXTWgjY5z8D7PGPZs44bMHES3yFkwON:7HXbqLc26ijWGhFxXIz8D7PGPT4IhySx

Score

10^/10

asyncrat default defense_evasion discovery rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

92agQQpzsyjf

Attributes

delay
3
install
true
install_file
Roblox_HelloKitty_Backgrounds_v1.0.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023306-4.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe

Executes dropped EXE 4 IoCs

pid	Process
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3128	RobloxPlayerInstaller.exe
2084	Roblox_HelloKitty_Backgrounds_v1.0.exe
5060	RobloxPlayerBeta.exe

Loads dropped DLL 2 IoCs

pid	Process
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5060	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

pid	Process
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe
5060	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AnimationEditor\icon_add.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioUIEditor\icon_rotate5.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StyleEditor\onboarding.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\MenuBar\icon_menu.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\DropDown\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\InGameMenu\TouchControls\unequip_item.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\ExternalSite\facebook.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\PlatformContent\pc\textures\plastic\normal.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\Icon_Stream_Off.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ControlsEmulator\Playstation5_Dark.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioSharedUI\MeatballMenu.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\DefaultController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\9-slice\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\Gamepad\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChatV2\navigation_pushRight.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\LuaPackages\Packages\_Index\FoundationImages\FoundationImages\SpriteSheets\img_set_2x_26.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\transformFiveDegrees.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Emotes\TenFoot\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\InGameMenu\GenericController.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\PlayerList\CharacterImageBackground.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\icons\ic-checkbox-on copy.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\fonts\Arimo-Bold.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioToolbox\Voting\thumbs-down-filled.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\DesignSystem\ButtonL1.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\LegacyRbxGui\_preview water 03.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\SpeakerDark\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\9-slice\search.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\Blank.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\fonts\SourceSansPro-Bold.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\PlatformContent\pc\textures\water\normal_04.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioToolbox\Animation.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\PlayerList\StarIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\graphic\Auth\builderman.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AnimationEditor\image_keyframe_elastic_selected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\LayeredClothingEditor\WorkspaceIcons\Mesh Visibility Icon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Emotes\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AlignTool\Max.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AnimationEditor\Pin.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\Cursors\KeyboardMouse\IBeamCursor.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\DeveloperFramework\slider_knob.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\DeveloperFramework\slider_knob_ouline.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\RoactStudioWidgets\button_checkbox_square.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\btn_greyTransp.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\ImageSet\AE\img_set_2x_3.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\category\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\ExternalSite\amazon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AnimationEditor\icon_delete.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Menu\hoverPopupMid.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\LeaveGame\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\RedSpeakerLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\SpeakerNew\Error.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\avatar\unification\CollisionHead.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AnimationEditor\image_keyframe_constant_selected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AssetManager\explorer.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\TerrainTools\icon_flatten_both.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\api-ms-win-core-synch-l1-2-0.dll	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\MenuBarIcons\[email protected]	RobloxPlayerInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox_HelloKitty_Backgrounds_v1.0.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1704	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-7f0f7a0cd81f40a8"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1e91b4133e334c9c\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1e91b4133e334c9c\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\version = "version-1e91b4133e334c9c"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1e91b4133e334c9c\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\version = "version-1e91b4133e334c9c"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1e91b4133e334c9c\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
5060	RobloxPlayerBeta.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
Token: SeDebugPrivilege	2084	Roblox_HelloKitty_Backgrounds_v1.0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
5060	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5340 wrote to memory of 3628	5340	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	88
PID 5340 wrote to memory of 3628	5340	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	88
PID 5340 wrote to memory of 3628	5340	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	88
PID 5340 wrote to memory of 3128	5340	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	89
PID 5340 wrote to memory of 3128	5340	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	89
PID 5340 wrote to memory of 3128	5340	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	89
PID 3628 wrote to memory of 1160	3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	96
PID 3628 wrote to memory of 1160	3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	96
PID 3628 wrote to memory of 1160	3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	96
PID 3628 wrote to memory of 4736	3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	98
PID 3628 wrote to memory of 4736	3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	98
PID 3628 wrote to memory of 4736	3628	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	98
PID 1160 wrote to memory of 3404	1160	cmd.exe	100
PID 1160 wrote to memory of 3404	1160	cmd.exe	100
PID 1160 wrote to memory of 3404	1160	cmd.exe	100
PID 4736 wrote to memory of 1704	4736	cmd.exe	101
PID 4736 wrote to memory of 1704	4736	cmd.exe	101
PID 4736 wrote to memory of 1704	4736	cmd.exe	101
PID 4736 wrote to memory of 2084	4736	cmd.exe	103
PID 4736 wrote to memory of 2084	4736	cmd.exe	103
PID 4736 wrote to memory of 2084	4736	cmd.exe	103
PID 3128 wrote to memory of 5060	3128	RobloxPlayerInstaller.exe	107
PID 3128 wrote to memory of 5060	3128	RobloxPlayerInstaller.exe	107

C:\Users\Admin\AppData\Local\Temp\b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe
"C:\Users\Admin\AppData\Local\Temp\b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5340
- C:\Users\Admin\AppData\Local\Temp\Roblox_HelloKitty_Backgrounds_v1.0.png.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox_HelloKitty_Backgrounds_v1.0.png.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Roblox_HelloKitty_Backgrounds_v1.0" /tr '"C:\Users\Admin\AppData\Roaming\Roblox_HelloKitty_Backgrounds_v1.0.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Roblox_HelloKitty_Backgrounds_v1.0" /tr '"C:\Users\Admin\AppData\Roaming\Roblox_HelloKitty_Backgrounds_v1.0.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2A8.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1704
  - - C:\Users\Admin\AppData\Roaming\Roblox_HelloKitty_Backgrounds_v1.0.exe
      "C:\Users\Admin\AppData\Roaming\Roblox_HelloKitty_Backgrounds_v1.0.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2084
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 3128
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:5060

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
7.7MB

MD5
98470b34e4752682f06e15073cc49eb3

SHA1
12cb5e490824d96c864d20082e61f93dcbdd91c1

SHA256
2efb688d19dc2d13df27632f58695ba8f812dd7fef3f60c814d732161781a91a

SHA512
a9612ed980e6b4b22e71b5c6d09a521526aae6edc8f3c24a02e39a93acceecc9149b364191f5116cc7ac4b18d0d88239c18b317d18cc6ed40f2003a4c4f158bc

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\RobloxPlayerBeta.dll

Filesize
14.0MB

MD5
9b3e160b27743f5959535bb9bb957199

SHA1
15c6b9c7102e705d45264b95c7391591b884d867

SHA256
5a0671c14f26a5d54fce080b24c7c557064deb8d20b8b5ef5a487a104509a3b3

SHA512
86810b8027f78cfd7521cbade46eda15ba591f3b6d29ce374489d5c90e8bf567c9a9ac889330c2357a9902a337cef4d0d3fb0a55ebb9012a5fd085fd7845b0bb

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\WebView2Loader.dll

Filesize
154KB

MD5
577f05cd683ed0577f6c970ea57129e0

SHA1
aedf54a8976f0f8ff5588447c344595e3c468925

SHA256
7127f20daa0a0a74e120ab7423dd1b30c45908f8ee929f0c6cd2312b41c5bddf

SHA512
2d1aea243938a6a1289cf4efcd541f28ab370a85ef05ed27b7b6d81ce43cea671e06a0959994807923b1dfec3b382ee95bd6f9489b74bba59239601756082047

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\cf350be4f188c4f251231836d414c407

Filesize
8.0MB

MD5
cf350be4f188c4f251231836d414c407

SHA1
9449bfef03203338a6566fa8b7552a8a3f7ae23e

SHA256
8c1bfedf69218adab627f9c394c9e05aba5459709ffda07047c054986d15a28d

SHA512
a23ee905c1087f8cec7d152ca9c9237992b7f792af02c38850601044883a2020239c76e7995af45c2389eec13a5fec23bb1f0d9d8347ef1f0d05baa951596038

Download Submit
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe

Filesize
7.3MB

MD5
027183c8f1be3ad3b30d3c8cf7332988

SHA1
a7de0320e768d2f737c30e77be4ca5043c3dbe55

SHA256
5f02e34dc5d7a478675fef3b4bfa9ed321bf6b6f8d6804aef7b243e360fba2fd

SHA512
66aefb4f2295d66da768ada2849e498145ef0f8d1e2e4c4bb7daa1745b6937742451c2f1eaf3dad35833096179e4b9d123487d744106a709f34c6a7bc8f589ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox_HelloKitty_Backgrounds_v1.0.png.exe

Filesize
175KB

MD5
19fdb6c0b5f1f446749a45c5e5e0562d

SHA1
40d2ede657cc2f4b503fffe83282aac93b760fc2

SHA256
94049485675d5d01b7287a0347643297acaad21b1904b88ce0271e93feee8cfe

SHA512
fd8fffeaa7f605ce0353ea42e269fe105c1abc3708f9b4d03eb882e641b9f5b2ecef14531f4588276dfb5089bbcbbebbd38fe5516210b70bc64e218a69954270

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2A8.tmp.bat

Filesize
178B

MD5
d936da17fe38e3450451be315602e7ac

SHA1
5080fdbc2a73c94580c2da7758fa76f27a22288f

SHA256
e91475531c819647683724a25e3953c92b7bb6b622fa414d9941f044dae9b0e4

SHA512
25e5e9b0a5e5f472ecc46cd8c03983105ccae0054a223324642ece6d9ad7e9accc43aeda272b65bafde8078ac70f1c68bf504a173991b989a6984a4dd0352b15

Download Submit
memory/3628-19-0x000000007334E000-0x000000007334F000-memory.dmp

Filesize
4KB

Download
memory/3628-23-0x0000000000830000-0x0000000000862000-memory.dmp

Filesize
200KB

Download
memory/3628-50-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/5060-143-0x00007FF8410F0000-0x00007FF841120000-memory.dmp

Filesize
192KB

Download
memory/5060-149-0x00007FF842E60000-0x00007FF842E6E000-memory.dmp

Filesize
56KB

Download
memory/5060-124-0x00007FF8433B0000-0x00007FF8433E0000-memory.dmp

Filesize
192KB

Download
memory/5060-123-0x00007FF8433B0000-0x00007FF8433E0000-memory.dmp

Filesize
192KB

Download
memory/5060-120-0x00007FF843360000-0x00007FF843370000-memory.dmp

Filesize
64KB

Download
memory/5060-121-0x00007FF8433B0000-0x00007FF8433E0000-memory.dmp

Filesize
192KB

Download
memory/5060-119-0x00007FF843360000-0x00007FF843370000-memory.dmp

Filesize
64KB

Download
memory/5060-118-0x00007FF843250000-0x00007FF843260000-memory.dmp

Filesize
64KB

Download
memory/5060-117-0x00007FF843250000-0x00007FF843260000-memory.dmp

Filesize
64KB

Download
memory/5060-129-0x00007FF842BC0000-0x00007FF842BD0000-memory.dmp

Filesize
64KB

Download
memory/5060-131-0x00007FF842BE0000-0x00007FF842BF0000-memory.dmp

Filesize
64KB

Download
memory/5060-132-0x00007FF842BE0000-0x00007FF842BF0000-memory.dmp

Filesize
64KB

Download
memory/5060-130-0x00007FF842BC0000-0x00007FF842BD0000-memory.dmp

Filesize
64KB

Download
memory/5060-128-0x00007FF842B30000-0x00007FF842B40000-memory.dmp

Filesize
64KB

Download
memory/5060-127-0x00007FF842B30000-0x00007FF842B40000-memory.dmp

Filesize
64KB

Download
memory/5060-133-0x00007FF842BE0000-0x00007FF842BF0000-memory.dmp

Filesize
64KB

Download
memory/5060-135-0x00007FF842BE0000-0x00007FF842BF0000-memory.dmp

Filesize
64KB

Download
memory/5060-134-0x00007FF842BE0000-0x00007FF842BF0000-memory.dmp

Filesize
64KB

Download
memory/5060-136-0x00007FF840E70000-0x00007FF840E80000-memory.dmp

Filesize
64KB

Download
memory/5060-138-0x00007FF840F80000-0x00007FF840F90000-memory.dmp

Filesize
64KB

Download
memory/5060-142-0x00007FF8410F0000-0x00007FF841120000-memory.dmp

Filesize
192KB

Download
memory/5060-141-0x00007FF8410F0000-0x00007FF841120000-memory.dmp

Filesize
192KB

Download
memory/5060-140-0x00007FF8410F0000-0x00007FF841120000-memory.dmp

Filesize
192KB

Download
memory/5060-139-0x00007FF840F80000-0x00007FF840F90000-memory.dmp

Filesize
64KB

Download
memory/5060-137-0x00007FF840E70000-0x00007FF840E80000-memory.dmp

Filesize
64KB

Download
memory/5060-144-0x00007FF8410F0000-0x00007FF841120000-memory.dmp

Filesize
192KB

Download
memory/5060-126-0x00007FF843440000-0x00007FF843445000-memory.dmp

Filesize
20KB

Download
memory/5060-146-0x00007FF842DB0000-0x00007FF842DC0000-memory.dmp

Filesize
64KB

Download
memory/5060-148-0x00007FF842E60000-0x00007FF842E6E000-memory.dmp

Filesize
56KB

Download
memory/5060-150-0x00007FF842E60000-0x00007FF842E6E000-memory.dmp

Filesize
56KB

Download
memory/5060-151-0x00007FF842E60000-0x00007FF842E6E000-memory.dmp

Filesize
56KB

Download
memory/5060-125-0x00007FF8433B0000-0x00007FF8433E0000-memory.dmp

Filesize
192KB

Download
memory/5060-147-0x00007FF842E60000-0x00007FF842E6E000-memory.dmp

Filesize
56KB

Download
memory/5060-145-0x00007FF842DB0000-0x00007FF842DC0000-memory.dmp

Filesize
64KB

Download
memory/5060-152-0x00007FF841F00000-0x00007FF841F10000-memory.dmp

Filesize
64KB

Download
memory/5060-153-0x00007FF841F00000-0x00007FF841F10000-memory.dmp

Filesize
64KB

Download
memory/5060-158-0x00007FF841F20000-0x00007FF841F2B000-memory.dmp

Filesize
44KB

Download
memory/5060-157-0x00007FF841F20000-0x00007FF841F2B000-memory.dmp

Filesize
44KB

Download
memory/5060-156-0x00007FF841F20000-0x00007FF841F2B000-memory.dmp

Filesize
44KB

Download
memory/5060-155-0x00007FF841F20000-0x00007FF841F2B000-memory.dmp

Filesize
44KB

Download
memory/5060-154-0x00007FF841F20000-0x00007FF841F2B000-memory.dmp

Filesize
44KB

Download
memory/5060-159-0x00007FF840BA0000-0x00007FF840BB0000-memory.dmp

Filesize
64KB

Download
memory/5060-162-0x00007FF840CA0000-0x00007FF840CB0000-memory.dmp

Filesize
64KB

Download
memory/5060-167-0x00007FF840CD0000-0x00007FF840CF6000-memory.dmp

Filesize
152KB

Download
memory/5060-166-0x00007FF840CD0000-0x00007FF840CF6000-memory.dmp

Filesize
152KB

Download
memory/5060-165-0x00007FF840CD0000-0x00007FF840CF6000-memory.dmp

Filesize
152KB

Download
memory/5060-164-0x00007FF840CD0000-0x00007FF840CF6000-memory.dmp

Filesize
152KB

Download
memory/5060-163-0x00007FF840CD0000-0x00007FF840CF6000-memory.dmp

Filesize
152KB

Download
memory/5060-161-0x00007FF840CA0000-0x00007FF840CB0000-memory.dmp

Filesize
64KB

Download
memory/5060-160-0x00007FF840BA0000-0x00007FF840BB0000-memory.dmp

Filesize
64KB

Download
memory/5060-168-0x00007FF840D00000-0x00007FF840D27000-memory.dmp

Filesize
156KB

Download
memory/5060-169-0x00007FF840D00000-0x00007FF840D27000-memory.dmp

Filesize
156KB

Download
memory/5060-174-0x00007FF840D00000-0x00007FF840D27000-memory.dmp

Filesize
156KB

Download
memory/5060-173-0x00007FF840D00000-0x00007FF840D27000-memory.dmp

Filesize
156KB

Download
memory/5060-172-0x00007FF840D00000-0x00007FF840D27000-memory.dmp

Filesize
156KB

Download
memory/5060-171-0x00007FF840D00000-0x00007FF840D27000-memory.dmp

Filesize
156KB

Download
memory/5060-170-0x00007FF840D00000-0x00007FF840D27000-memory.dmp

Filesize
156KB

Download
memory/5060-179-0x00007FF840B70000-0x00007FF840B92000-memory.dmp

Filesize
136KB

Download
memory/5060-178-0x00007FF840B70000-0x00007FF840B92000-memory.dmp

Filesize
136KB

Download
memory/5060-177-0x00007FF840B70000-0x00007FF840B92000-memory.dmp

Filesize
136KB

Download
memory/5060-176-0x00007FF840B70000-0x00007FF840B92000-memory.dmp

Filesize
136KB

Download
memory/5060-175-0x00007FF840B70000-0x00007FF840B92000-memory.dmp

Filesize
136KB

Download
memory/5060-122-0x00007FF8433B0000-0x00007FF8433E0000-memory.dmp

Filesize
192KB

Download
memory/5340-22-0x0000000000400000-0x0000000000B83000-memory.dmp

Filesize
7.5MB

Download