hxxp://wearedevs[.]com

Analysis

max time kernel
77s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wearedevs.com

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1704	Multiple_ROBLOX.exe
5544	Multiple_ROBLOX.exe
5816	Multiple_ROBLOX.exe
3984	Multiple_ROBLOX.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133259668576310295"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4268	chrome.exe
4268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 2700	4268	chrome.exe	85
PID 4268 wrote to memory of 2700	4268	chrome.exe	85
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 4472	4268	chrome.exe	90
PID 4268 wrote to memory of 2380	4268	chrome.exe	91
PID 4268 wrote to memory of 2380	4268	chrome.exe	91
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92
PID 4268 wrote to memory of 4912	4268	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://wearedevs.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90cff9758,0x7ff90cff9768,0x7ff90cff9778
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3468 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4596 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4568 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4936 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5424 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4504 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5740 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5660 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5068 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6356 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4584 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5360 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4696 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6348 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:1152
- C:\Users\Admin\Downloads\Multiple_ROBLOX.exe
  "C:\Users\Admin\Downloads\Multiple_ROBLOX.exe"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Users\Admin\Downloads\Multiple_ROBLOX.exe
  "C:\Users\Admin\Downloads\Multiple_ROBLOX.exe"
  2⤵
  - Executes dropped EXE
  PID:5544
- C:\Users\Admin\Downloads\Multiple_ROBLOX.exe
  "C:\Users\Admin\Downloads\Multiple_ROBLOX.exe"
  2⤵
  - Executes dropped EXE
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=2700 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1860,i,8747634119593397187,17324007779751158405,131072 /prefetch:8
  2⤵
  PID:6072

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x31c
1⤵
PID:4064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5240

C:\Users\Admin\Downloads\Multiple_ROBLOX.exe
"C:\Users\Admin\Downloads\Multiple_ROBLOX.exe"
1⤵
- Executes dropped EXE
PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5af5091a-7b90-4bf8-9e44-f4037e78337f.tmp

Filesize
117KB

MD5
c182e7668470a0cea3b7ebc8e8d9e3ff

SHA1
f0f76f3d935b5f4c011e3f90fe53558e81a48174

SHA256
f74d5c2d58183e7ed1d0ec378569a972ce3cb7a87d9ab021e4a272e641ac5f12

SHA512
edd3acf6c765b9f2c47879539ecd08df926f1a8cc8f34e83d20120cf2850c79136cbe6a2476853830cdc5c8804114c546b4ce5c3c7123a5e5ecbc83ec2368e11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
48KB

MD5
d4a02a4690dc0a2c58584efd3972a5a0

SHA1
420f64c8b7e2b78dd1df6da6fb76e0de988b1c49

SHA256
94fbb30a0ca48c246676f55e55de5e15a4ff0dbd72a5026fb69d16b2545f5f92

SHA512
aa8f1a75fe2b1e14825c83c365f4701d878d4147383fe5129d97306c3bb87f11bb5fa0ff6805d1033d4dc85743823822c7a58a922484f7f4b573585171d8396b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e96bf7ae6391f0430ad4c3afcc6099d3

SHA1
d0d2dd745a3a677a48c48f44a2d23421c96c66c8

SHA256
a6a3b3cafa4a7bb7b6037abdae2fb2cea2bd55a189fe90b18b2b17608e91df14

SHA512
a412ce17bdd9d29b85a146ea53d1ff17c5cf734cddabd3e30625cd25b2613b38ebd23b4be5593aa79566fd830cc252e2bd6d9d0b12cc80b0748af10d5b664e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_googleads.g.doubleclick.net_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_googleads.g.doubleclick.net_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
64d23deb44cf81bab2f0f6d34816d1ed

SHA1
d0ab12eb0d575701526a250536aeea70aab36178

SHA256
6b3ff3c96dd218e523a7665ad5eb4047f2e071b775cc6fb6a267fc9fe4694725

SHA512
98467ed1c41aa3171b20487af5ddb055919aef5d0bd6cf5f7783d0d9f521c2ff8584a7681de5bdef31ddb728de83fc85694c90d0d3d4851b6361426236e1886c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cd5b32b59e2159423ad603e1e114ea77

SHA1
626e5c61b737c7e0797159a8412cb71a19a0429d

SHA256
92ca3e4915c27fce6d5167f5a641df2047ce67a97ff48a54c24c4c38b1f9f7b4

SHA512
62b9d4c22e47b6df2323b44ee60adf5b49d37d812216c8d0d0c89a982302f1b53373aca08585a5c296bc08217db04aa75dc2d8af425d2ebd2123286be778a336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
cb423e353f602f92ce7eab560ece4778

SHA1
685054974409cc2ae31ef71e6e6c117c8310bc21

SHA256
88ee3b3ed79c9422a09f936f298162c64a4167ba14b56313bc8fbe5cfa6e3f28

SHA512
97383a1b95dd126072ed7e4cb908cc6e69c2d61aeb3512b5846072d15853b78109126068223eabecae59eb850e5d56da72a4534f662fb5ae3411bcee5a50dc72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9fbb3c05d22fabf33fd714d71c9f700c

SHA1
b6be0c6c01760f1fb9fa6057fa47c7078d0fefad

SHA256
6458a39b45ed677426ab38380f734330fb4e214353878c3d3079711940540eec

SHA512
f361aa91f7a47a41ad324d0829406c38dbbc03d9f5710e819e7a7efd909c76d1a08f498ba6d08ce088795555408ef89b41eb5b4c791b7c13b242323f5ca7112b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6d3a7c26942ccb5ecc68fa927685c6fe

SHA1
2436d6169d4a4072c9033bfcfbb5553a87bfe535

SHA256
cf9db0ff8fd48ab6a2961a7237fba181818ebf3ad63cf718bfb4083c3e71a5aa

SHA512
04f1e27f2258857a540d75dc347fa058cdd18fa2759c4d26242462d4c39a9e23e4f1a1e11c17b41a2c50064b39e9f27d31c4824ce38fd5f0303cd573e709e18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1ee47fde8f133d8a9436700d35e5c2e1

SHA1
ed05b36c114f16d71f1ccda4d57d03d91abbbb7b

SHA256
e4f277d0245e1a23a0a1afbf9b50a3debf917d43f9b7c7a7647270eb1211050e

SHA512
8f42a5e24bab1d2bed61debe462ac4497037d26c44fe7b4cb6c3f0d11c9f32499c227259e8601ffbafb25b3f2d1804d3d60d61c18637b4bb590b9ab722fc2019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5717ed.TMP

Filesize
48B

MD5
40aab2d41758a4dfe609cf4904df299c

SHA1
60fa61c6c104f94391dbe3f756aadae18e2e863a

SHA256
bf5f36179dbd0d174d2f26f122225fe03b6ccb25b6b070330cd174bfd15ffc3a

SHA512
6efeecefde9b3c9f7a193764be93755a1ebed90fcde6f27cb5823f6c4b4a3b6f7a01677e2f22312f7bca8e6a2208def62970f548c07d11f37a497fbea5676579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
2c813a9a1516be5690f0d0287e828eac

SHA1
956705c145c06de6dbfa2950548c0f2a1e319ec1

SHA256
ce3e9cf4f516d9a0f96eed166f57c1fff1f23925e2d6c3b314c88244d9c7e864

SHA512
2ae08234f17ac1be02026ec43bdfe28125bf64e6a1e31d569eb4fbe5dc8ddaffff394189e5da5593cd06bde045d45ce54ec5b5e26038b1a2ff6f1e9cff61a76c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
032aeb037499260d14898c79f7eb8496

SHA1
b6a88a47c23b7ee31198221674d42f52e214916b

SHA256
3ec9ee9281468b11283c4ac5d6ec8c7675c7f5d94964f496562461f6e17eda7d

SHA512
f68d102872cde7a16697af5479067db74955097b1c4d40829d3b8695fedd7a73723269c9448b062933e81d75afaba5a72bd6ed71f124563c9dd88982e84b500f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57780e.TMP

Filesize
116KB

MD5
611e44855c5d52dae3db3ce8c58f3838

SHA1
013f7b813dd9e5d6f55f3de665a6561de4e32147

SHA256
7dce928018c48ebac7a4dbfe51f2a21cf3caac1164c56f4527467fca897cfc4b

SHA512
381ac34686a73fe3848e96512f21b40ad9c4f4db6b460c8ed23f8d721112e589c8d3f717ebbd31932d95e6659174a8f0ca6b28603a8192e7df81d476092a8ac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b5cbd8ad-3bbc-4f84-b215-dc2d5e464c6b.tmp

Filesize
199KB

MD5
3d4ab9832352ee8e30f94702644cce4a

SHA1
75d8e3391aa615dcc69e047eb369778d398d006c

SHA256
ec91b9986e1a3cef50aa90d898095fdc221c2cacc0599aae79e970e1aedd9cf0

SHA512
1711ff4d08503fd8141d339bd627bae0f27b62a714ee7b9f6c2cace04deec1f975d380be511267970a9291f34e6d6eb6218441128aa7219cbbf449f8d1f1d6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Multiple_ROBLOX.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\Downloads\Multiple_ROBLOX.exe

Filesize
764KB

MD5
aed655395747a6602479f6032d3c099f

SHA1
5fcbd5735ed0e4a013667652f4c1382abb45203a

SHA256
3d6123dc6ffbd1a11d73229988203052809bd17617b24a034c1122c8f4983db4

SHA512
1a3db9e195e9e504a0a6c24557f1e141f90a73a89a853b8ad3ab2248d8e3fd97ba1ae78b93ad33005590ef0a44c5237e608b66a9c9fffde39e4730c226d91637

Download Submit
C:\Users\Admin\Downloads\Multiple_ROBLOX.exe

Filesize
764KB

MD5
aed655395747a6602479f6032d3c099f

SHA1
5fcbd5735ed0e4a013667652f4c1382abb45203a

SHA256
3d6123dc6ffbd1a11d73229988203052809bd17617b24a034c1122c8f4983db4

SHA512
1a3db9e195e9e504a0a6c24557f1e141f90a73a89a853b8ad3ab2248d8e3fd97ba1ae78b93ad33005590ef0a44c5237e608b66a9c9fffde39e4730c226d91637

Download Submit
C:\Users\Admin\Downloads\Multiple_ROBLOX.exe

Filesize
764KB

MD5
aed655395747a6602479f6032d3c099f

SHA1
5fcbd5735ed0e4a013667652f4c1382abb45203a

SHA256
3d6123dc6ffbd1a11d73229988203052809bd17617b24a034c1122c8f4983db4

SHA512
1a3db9e195e9e504a0a6c24557f1e141f90a73a89a853b8ad3ab2248d8e3fd97ba1ae78b93ad33005590ef0a44c5237e608b66a9c9fffde39e4730c226d91637

Download Submit
C:\Users\Admin\Downloads\Multiple_ROBLOX.exe

Filesize
764KB

MD5
aed655395747a6602479f6032d3c099f

SHA1
5fcbd5735ed0e4a013667652f4c1382abb45203a

SHA256
3d6123dc6ffbd1a11d73229988203052809bd17617b24a034c1122c8f4983db4

SHA512
1a3db9e195e9e504a0a6c24557f1e141f90a73a89a853b8ad3ab2248d8e3fd97ba1ae78b93ad33005590ef0a44c5237e608b66a9c9fffde39e4730c226d91637

Download Submit
C:\Users\Admin\Downloads\Multiple_ROBLOX.exe

Filesize
764KB

MD5
aed655395747a6602479f6032d3c099f

SHA1
5fcbd5735ed0e4a013667652f4c1382abb45203a

SHA256
3d6123dc6ffbd1a11d73229988203052809bd17617b24a034c1122c8f4983db4

SHA512
1a3db9e195e9e504a0a6c24557f1e141f90a73a89a853b8ad3ab2248d8e3fd97ba1ae78b93ad33005590ef0a44c5237e608b66a9c9fffde39e4730c226d91637

Download Submit
C:\Users\Admin\Downloads\Multiple_ROBLOX.exe

Filesize
764KB

MD5
aed655395747a6602479f6032d3c099f

SHA1
5fcbd5735ed0e4a013667652f4c1382abb45203a

SHA256
3d6123dc6ffbd1a11d73229988203052809bd17617b24a034c1122c8f4983db4

SHA512
1a3db9e195e9e504a0a6c24557f1e141f90a73a89a853b8ad3ab2248d8e3fd97ba1ae78b93ad33005590ef0a44c5237e608b66a9c9fffde39e4730c226d91637

Download Submit
memory/1704-486-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/1704-504-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1704-485-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1704-475-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/1704-474-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/1704-464-0x00000000004F0000-0x00000000005B4000-memory.dmp

Filesize
784KB

Download
memory/3984-555-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/5544-497-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/5816-501-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download