asyncrat | b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5

Analysis

max time kernel
59s
max time network
61s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
20/04/2025, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe
Size

7.5MB
MD5

d7a4872df076123cffaa9d4088c6c9c2
SHA1

672ffdc2435f45707337d281da14c0675bdfa1be
SHA256

b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5
SHA512

c8eb46cf3d76f7fad8d43390208365a6ff2320664275df7b91427e1ea06e75c5e35791d1e38eb9b45425740f5590538ddc6590e0a75f1e2ef2c11a6811d62912
SSDEEP

98304:7XvvXbqLcfF4SNvJ7JuDjjCD2W8zhFxXTWgjY5z8D7PGPZs44bMHES3yFkwON:7HXbqLc26ijWGhFxXIz8D7PGPT4IhySx

Score

10^/10

asyncrat default defense_evasion discovery rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

92agQQpzsyjf

Attributes

delay
3
install
true
install_file
Roblox_HelloKitty_Backgrounds_v1.0.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x001000000002acd4-4.dat	family_asyncrat

Executes dropped EXE 4 IoCs

pid	Process
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
5140	RobloxPlayerInstaller.exe
4724	Roblox_HelloKitty_Backgrounds_v1.0.exe
3504	RobloxPlayerBeta.exe

Loads dropped DLL 2 IoCs

pid	Process
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3504	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe
3504	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\9-slice\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AssetImport\btn_light_filepicker_28x28.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\DeveloperFramework\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\TerrainTools\mtrl_concrete_2022.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\waypoint.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AvatarEditorImages\Stretch\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\PathEditor\Control_Point_Selected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\Controls\DesignSystem\Thumbstick1Vertical.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\RedSpeakerDark\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\Gamepad\Controller.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\MenuBar\divider.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AnimationEditor\RoundedBackground.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\DeveloperFramework\Votes\rating_up_red.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\MicDark\Unmuted0.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\fonts\NotoSansThaiUI-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ControlsEmulator\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Emotes\Large\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Menu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\MenuBar\icon_emote.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioSharedUI\close.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\TerrainTools\import_toggleOff_dark.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\Slider\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\icon_mutualfollowing-16.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\InspectMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\Radial\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\graphic\profilemask_36.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\graphic\Auth\CharacterShadow.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AnimationEditor\button_zoom_hoverpressed_right.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\TopBar\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\AvatarExperience\PPEWidgetBackgroundLightTheme.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\AnimationEditor\animation_editor_blue.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\Help\PlatformController.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\GameSettings\Warning.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\SpeakerNew\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\PurchasePrompt\SingleButtonDown.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\Debugger\Breakpoints\server.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioToolbox\AssetPreview\info.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\Radial\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaApp\graphic\shimmer.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\9-slice\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\configs\DateTimeLocaleConfigs\en-au.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioToolbox\AudioPreview\play.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\TerrainTools\mtrl_basalt_2022.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\Players\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\ui\Settings\Radial\BottomRightSelected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox_HelloKitty_Backgrounds_v1.0.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5076	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-7f0f7a0cd81f40a8"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1e91b4133e334c9c\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1e91b4133e334c9c\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\version-1e91b4133e334c9c\\RobloxPlayerBeta.exe\" %1"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\URL Protocol	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\DefaultIcon	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command\version = "version-1e91b4133e334c9c"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open\command\version = "version-1e91b4133e334c9c"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open\command	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\version-1e91b4133e334c9c\\RobloxPlayerBeta.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
3504	RobloxPlayerBeta.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe
Token: SeDebugPrivilege	4724	Roblox_HelloKitty_Backgrounds_v1.0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3504	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 1152	236	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	78
PID 236 wrote to memory of 1152	236	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	78
PID 236 wrote to memory of 1152	236	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	78
PID 236 wrote to memory of 5140	236	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	79
PID 236 wrote to memory of 5140	236	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	79
PID 236 wrote to memory of 5140	236	b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe	79
PID 1152 wrote to memory of 2160	1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	80
PID 1152 wrote to memory of 2160	1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	80
PID 1152 wrote to memory of 2160	1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	80
PID 1152 wrote to memory of 4592	1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	81
PID 1152 wrote to memory of 4592	1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	81
PID 1152 wrote to memory of 4592	1152	Roblox_HelloKitty_Backgrounds_v1.0.png.exe	81
PID 4592 wrote to memory of 5076	4592	cmd.exe	84
PID 4592 wrote to memory of 5076	4592	cmd.exe	84
PID 4592 wrote to memory of 5076	4592	cmd.exe	84
PID 2160 wrote to memory of 1144	2160	cmd.exe	85
PID 2160 wrote to memory of 1144	2160	cmd.exe	85
PID 2160 wrote to memory of 1144	2160	cmd.exe	85
PID 4592 wrote to memory of 4724	4592	cmd.exe	87
PID 4592 wrote to memory of 4724	4592	cmd.exe	87
PID 4592 wrote to memory of 4724	4592	cmd.exe	87
PID 5140 wrote to memory of 3504	5140	RobloxPlayerInstaller.exe	88
PID 5140 wrote to memory of 3504	5140	RobloxPlayerInstaller.exe	88

C:\Users\Admin\AppData\Local\Temp\b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe
"C:\Users\Admin\AppData\Local\Temp\b8931d6b7ece78c94ba82511d7f85466c280e8b1059034637e0434a3dd221ed5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\Roblox_HelloKitty_Backgrounds_v1.0.png.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox_HelloKitty_Backgrounds_v1.0.png.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Roblox_HelloKitty_Backgrounds_v1.0" /tr '"C:\Users\Admin\AppData\Roaming\Roblox_HelloKitty_Backgrounds_v1.0.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Roblox_HelloKitty_Backgrounds_v1.0" /tr '"C:\Users\Admin\AppData\Roaming\Roblox_HelloKitty_Backgrounds_v1.0.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C37.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5076
  - - C:\Users\Admin\AppData\Roaming\Roblox_HelloKitty_Backgrounds_v1.0.exe
      "C:\Users\Admin\AppData\Roaming\Roblox_HelloKitty_Backgrounds_v1.0.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4724
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5140
- - C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 5140
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:3504

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
7.7MB

MD5
98470b34e4752682f06e15073cc49eb3

SHA1
12cb5e490824d96c864d20082e61f93dcbdd91c1

SHA256
2efb688d19dc2d13df27632f58695ba8f812dd7fef3f60c814d732161781a91a

SHA512
a9612ed980e6b4b22e71b5c6d09a521526aae6edc8f3c24a02e39a93acceecc9149b364191f5116cc7ac4b18d0d88239c18b317d18cc6ed40f2003a4c4f158bc

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\RobloxPlayerBeta.dll

Filesize
14.0MB

MD5
9b3e160b27743f5959535bb9bb957199

SHA1
15c6b9c7102e705d45264b95c7391591b884d867

SHA256
5a0671c14f26a5d54fce080b24c7c557064deb8d20b8b5ef5a487a104509a3b3

SHA512
86810b8027f78cfd7521cbade46eda15ba591f3b6d29ce374489d5c90e8bf567c9a9ac889330c2357a9902a337cef4d0d3fb0a55ebb9012a5fd085fd7845b0bb

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-1e91b4133e334c9c\WebView2Loader.dll

Filesize
154KB

MD5
577f05cd683ed0577f6c970ea57129e0

SHA1
aedf54a8976f0f8ff5588447c344595e3c468925

SHA256
7127f20daa0a0a74e120ab7423dd1b30c45908f8ee929f0c6cd2312b41c5bddf

SHA512
2d1aea243938a6a1289cf4efcd541f28ab370a85ef05ed27b7b6d81ce43cea671e06a0959994807923b1dfec3b382ee95bd6f9489b74bba59239601756082047

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\cf350be4f188c4f251231836d414c407

Filesize
8.0MB

MD5
cf350be4f188c4f251231836d414c407

SHA1
9449bfef03203338a6566fa8b7552a8a3f7ae23e

SHA256
8c1bfedf69218adab627f9c394c9e05aba5459709ffda07047c054986d15a28d

SHA512
a23ee905c1087f8cec7d152ca9c9237992b7f792af02c38850601044883a2020239c76e7995af45c2389eec13a5fec23bb1f0d9d8347ef1f0d05baa951596038

Download Submit
C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe

Filesize
7.3MB

MD5
027183c8f1be3ad3b30d3c8cf7332988

SHA1
a7de0320e768d2f737c30e77be4ca5043c3dbe55

SHA256
5f02e34dc5d7a478675fef3b4bfa9ed321bf6b6f8d6804aef7b243e360fba2fd

SHA512
66aefb4f2295d66da768ada2849e498145ef0f8d1e2e4c4bb7daa1745b6937742451c2f1eaf3dad35833096179e4b9d123487d744106a709f34c6a7bc8f589ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox_HelloKitty_Backgrounds_v1.0.png.exe

Filesize
175KB

MD5
19fdb6c0b5f1f446749a45c5e5e0562d

SHA1
40d2ede657cc2f4b503fffe83282aac93b760fc2

SHA256
94049485675d5d01b7287a0347643297acaad21b1904b88ce0271e93feee8cfe

SHA512
fd8fffeaa7f605ce0353ea42e269fe105c1abc3708f9b4d03eb882e641b9f5b2ecef14531f4588276dfb5089bbcbbebbd38fe5516210b70bc64e218a69954270

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C37.tmp.bat

Filesize
178B

MD5
b72d7804d994853a2c765c1c5337679a

SHA1
27a63148ec8fa5689e74c2a0dfe82e37191fb2cd

SHA256
e2497dfdff949a362a5496eff2a91a3d9413d7f8de8efac2b8537764bb8da06f

SHA512
04416450d27e83ccd2b4c00e7bdc98ba4b7a64fd25898db1fba8fd03052527f2fb857cef82110077bab6f61a36c6929b088534a286950675fd078fabfa09102d

Download Submit
memory/236-23-0x0000000000400000-0x0000000000B83000-memory.dmp

Filesize
7.5MB

Download
memory/1152-11-0x000000007383E000-0x000000007383F000-memory.dmp

Filesize
4KB

Download
memory/1152-20-0x0000000000320000-0x0000000000352000-memory.dmp

Filesize
200KB

Download
memory/1152-39-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/3504-136-0x00007FFB03940000-0x00007FFB03950000-memory.dmp

Filesize
64KB

Download
memory/3504-151-0x00007FFB04A90000-0x00007FFB04A9D000-memory.dmp

Filesize
52KB

Download
memory/3504-121-0x00007FFB06330000-0x00007FFB06360000-memory.dmp

Filesize
192KB

Download
memory/3504-120-0x00007FFB06330000-0x00007FFB06360000-memory.dmp

Filesize
192KB

Download
memory/3504-119-0x00007FFB06330000-0x00007FFB06360000-memory.dmp

Filesize
192KB

Download
memory/3504-132-0x00007FFB049A0000-0x00007FFB049AC000-memory.dmp

Filesize
48KB

Download
memory/3504-130-0x00007FFB048B0000-0x00007FFB048D0000-memory.dmp

Filesize
128KB

Download
memory/3504-131-0x00007FFB048B0000-0x00007FFB048D0000-memory.dmp

Filesize
128KB

Download
memory/3504-129-0x00007FFB048B0000-0x00007FFB048D0000-memory.dmp

Filesize
128KB

Download
memory/3504-128-0x00007FFB048B0000-0x00007FFB048D0000-memory.dmp

Filesize
128KB

Download
memory/3504-127-0x00007FFB048B0000-0x00007FFB048D0000-memory.dmp

Filesize
128KB

Download
memory/3504-126-0x00007FFB04890000-0x00007FFB048A0000-memory.dmp

Filesize
64KB

Download
memory/3504-125-0x00007FFB04890000-0x00007FFB048A0000-memory.dmp

Filesize
64KB

Download
memory/3504-124-0x00007FFB04800000-0x00007FFB04810000-memory.dmp

Filesize
64KB

Download
memory/3504-123-0x00007FFB04800000-0x00007FFB04810000-memory.dmp

Filesize
64KB

Download
memory/3504-118-0x00007FFB06330000-0x00007FFB06360000-memory.dmp

Filesize
192KB

Download
memory/3504-117-0x00007FFB06330000-0x00007FFB06360000-memory.dmp

Filesize
192KB

Download
memory/3504-114-0x00007FFB061C0000-0x00007FFB061D0000-memory.dmp

Filesize
64KB

Download
memory/3504-116-0x00007FFB062E0000-0x00007FFB062F0000-memory.dmp

Filesize
64KB

Download
memory/3504-133-0x00007FFB037D0000-0x00007FFB037E0000-memory.dmp

Filesize
64KB

Download
memory/3504-142-0x00007FFB03B10000-0x00007FFB03B20000-memory.dmp

Filesize
64KB

Download
memory/3504-141-0x00007FFB03B10000-0x00007FFB03B20000-memory.dmp

Filesize
64KB

Download
memory/3504-140-0x00007FFB03B10000-0x00007FFB03B20000-memory.dmp

Filesize
64KB

Download
memory/3504-138-0x00007FFB03AF0000-0x00007FFB03B00000-memory.dmp

Filesize
64KB

Download
memory/3504-137-0x00007FFB03AF0000-0x00007FFB03B00000-memory.dmp

Filesize
64KB

Download
memory/3504-115-0x00007FFB062E0000-0x00007FFB062F0000-memory.dmp

Filesize
64KB

Download
memory/3504-135-0x00007FFB03940000-0x00007FFB03950000-memory.dmp

Filesize
64KB

Download
memory/3504-134-0x00007FFB037D0000-0x00007FFB037E0000-memory.dmp

Filesize
64KB

Download
memory/3504-139-0x00007FFB03AF0000-0x00007FFB03B00000-memory.dmp

Filesize
64KB

Download
memory/3504-143-0x00007FFB049E0000-0x00007FFB049F0000-memory.dmp

Filesize
64KB

Download
memory/3504-144-0x00007FFB049E0000-0x00007FFB049F0000-memory.dmp

Filesize
64KB

Download
memory/3504-122-0x00007FFB063C0000-0x00007FFB063C9000-memory.dmp

Filesize
36KB

Download
memory/3504-159-0x00007FFB049D0000-0x00007FFB049D9000-memory.dmp

Filesize
36KB

Download
memory/3504-165-0x00007FFB04030000-0x00007FFB04050000-memory.dmp

Filesize
128KB

Download
memory/3504-175-0x00007FFB06330000-0x00007FFB06360000-memory.dmp

Filesize
192KB

Download
memory/3504-174-0x00007FFB061B0000-0x00007FFB061B1000-memory.dmp

Filesize
4KB

Download
memory/3504-173-0x00007FFB03E50000-0x00007FFB03E76000-memory.dmp

Filesize
152KB

Download
memory/3504-172-0x00007FFB03E50000-0x00007FFB03E76000-memory.dmp

Filesize
152KB

Download
memory/3504-171-0x00007FFB03E50000-0x00007FFB03E76000-memory.dmp

Filesize
152KB

Download
memory/3504-170-0x00007FFB03E50000-0x00007FFB03E76000-memory.dmp

Filesize
152KB

Download
memory/3504-169-0x00007FFB03E50000-0x00007FFB03E76000-memory.dmp

Filesize
152KB

Download
memory/3504-168-0x00007FFB04030000-0x00007FFB04050000-memory.dmp

Filesize
128KB

Download
memory/3504-167-0x00007FFB04030000-0x00007FFB04050000-memory.dmp

Filesize
128KB

Download
memory/3504-166-0x00007FFB04030000-0x00007FFB04050000-memory.dmp

Filesize
128KB

Download
memory/3504-164-0x00007FFB04030000-0x00007FFB04050000-memory.dmp

Filesize
128KB

Download
memory/3504-163-0x00007FFB04000000-0x00007FFB04010000-memory.dmp

Filesize
64KB

Download
memory/3504-162-0x00007FFB04000000-0x00007FFB04010000-memory.dmp

Filesize
64KB

Download
memory/3504-161-0x00007FFB03EF0000-0x00007FFB03F00000-memory.dmp

Filesize
64KB

Download
memory/3504-160-0x00007FFB03EF0000-0x00007FFB03F00000-memory.dmp

Filesize
64KB

Download
memory/3504-158-0x00007FFB049D0000-0x00007FFB049D9000-memory.dmp

Filesize
36KB

Download
memory/3504-157-0x00007FFB049D0000-0x00007FFB049D9000-memory.dmp

Filesize
36KB

Download
memory/3504-156-0x00007FFB049D0000-0x00007FFB049D9000-memory.dmp

Filesize
36KB

Download
memory/3504-155-0x00007FFB049D0000-0x00007FFB049D9000-memory.dmp

Filesize
36KB

Download
memory/3504-154-0x00007FFB049B0000-0x00007FFB049C0000-memory.dmp

Filesize
64KB

Download
memory/3504-153-0x00007FFB049B0000-0x00007FFB049C0000-memory.dmp

Filesize
64KB

Download
memory/3504-152-0x00007FFB049B0000-0x00007FFB049C0000-memory.dmp

Filesize
64KB

Download
memory/3504-150-0x00007FFB04A90000-0x00007FFB04A9D000-memory.dmp

Filesize
52KB

Download
memory/3504-147-0x00007FFB04A90000-0x00007FFB04A9D000-memory.dmp

Filesize
52KB

Download
memory/3504-148-0x00007FFB04A90000-0x00007FFB04A9D000-memory.dmp

Filesize
52KB

Download
memory/3504-146-0x00007FFB04A50000-0x00007FFB04A60000-memory.dmp

Filesize
64KB

Download
memory/3504-149-0x00007FFB04A90000-0x00007FFB04A9D000-memory.dmp

Filesize
52KB

Download
memory/3504-145-0x00007FFB04A50000-0x00007FFB04A60000-memory.dmp

Filesize
64KB

Download
memory/3504-113-0x00007FFB061C0000-0x00007FFB061D0000-memory.dmp

Filesize
64KB

Download