Analysis
-
max time kernel
198s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2023 22:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher-
Resource
win10v2004-20230703-en
Errors
General
-
Target
https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher-
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/961916454456938537/3lFwPgZF34r0-bnfCFnjndGn8C_v346BGlJkMGeEsc1St-UOQ0nMyVTNbQs4DhXGF4cp
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Executes dropped EXE 2 IoCs
Processes:
MirroApi.exeRobloxToolz.exepid process 4312 MirroApi.exe 3928 RobloxToolz.exe -
Loads dropped DLL 9 IoCs
Processes:
MirroApi.exepid process 4312 MirroApi.exe 4312 MirroApi.exe 4312 MirroApi.exe 4312 MirroApi.exe 4312 MirroApi.exe 4312 MirroApi.exe 4312 MirroApi.exe 4312 MirroApi.exe 4312 MirroApi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 73 ip4.seeip.org 74 ip4.seeip.org 79 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1860 3928 WerFault.exe RobloxToolz.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
LogonUI.exechrome.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "243" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133358358877516905" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
chrome.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2536 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid process 4796 chrome.exe 4796 chrome.exe 4656 chrome.exe 4656 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exeMirroApi.exepid process 4380 OpenWith.exe 4312 MirroApi.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 4796 chrome.exe 4796 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exe7zG.exedescription pid process Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeRestorePrivilege 4912 7zG.exe Token: 35 4912 7zG.exe Token: SeSecurityPrivilege 4912 7zG.exe Token: SeSecurityPrivilege 4912 7zG.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe Token: SeShutdownPrivilege 4796 chrome.exe Token: SeCreatePagefilePrivilege 4796 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exe7zG.exepid process 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4912 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe 4796 chrome.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
OpenWith.exeMirroApi.exeLogonUI.exepid process 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4312 MirroApi.exe 4312 MirroApi.exe 3588 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4796 wrote to memory of 4164 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4164 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 3224 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 1108 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 1108 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe PID 4796 wrote to memory of 4584 4796 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/totallyNotRipper/RobloxToolz-ServerCrasher-1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee3179758,0x7ffee3179768,0x7ffee31797782⤵PID:4164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:22⤵PID:3224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:82⤵PID:1108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:82⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:12⤵PID:4520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:12⤵PID:4352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:82⤵PID:748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:82⤵PID:4364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:82⤵PID:4596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 --field-trial-handle=1876,i,13673638321998124720,7807087937580941823,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:5040
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1488
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29951:84:7zEvent246001⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4912
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.Config2⤵
- Opens file in notepad (likely ransom note)
PID:2536
-
-
C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe"C:\Users\Admin\Downloads\RobloxToolz\MirroApi.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4312
-
C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe"C:\Users\Admin\Downloads\RobloxToolz\RobloxToolz.exe"1⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3928 -s 21362⤵
- Program crash
PID:1860
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 3928 -ip 39281⤵PID:2156
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b8055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c933a28d957f40abfdda2575af305f69
SHA10fe0dca36fa7c004d75a5bf723a23c97f0233184
SHA25693d8e36f9cc702fbd01d73a6911a9fa4df41abe02d0f92f7dcc5900620044fc3
SHA5125f81ea6a719e4067f9024c8b1c53ebe5102d00033b865c1faa316d2757bf15516af27b6ac4fdd7cfa1c4d7b973a4a6de1e83c211dfb29293816d56336aee06da
-
Filesize
1KB
MD5c6d85b5acbbd5b4d9812710a03717512
SHA1666f5da1cd6c5e8e543fbb66bf652e4d79f934be
SHA256ecb651215fd048ad28a19de70dacf9fbdae3a4e50416869e004d5c00ddfcdd0f
SHA5124e588d017a30556a3ac1bcf0e124fabe90e1bfbde2fd6ddccec79ce6286136177b759feff628b5c2844c4e1e6d74e36de37d3531ab84381d49a743b02dac6511
-
Filesize
1KB
MD5c74fa55c611d605a85824ada8bbf78dd
SHA154a7a5b7d0d7d5f7743d8adc20a9b527f63ec597
SHA256111da12f3779f8e4319b1c91039804603039dd0fa9a2ab881a4771efe693ea60
SHA5127f9deda1c8370f8a5bcf763b03195a98ea56faa2686886de32818453e2d0ed51afbbf438832989462fcbb24b0178fce926b172cafbc33631cae79c7de1bb20a8
-
Filesize
1KB
MD546cabd5360696802de48f4697ffbc919
SHA1704a2f6b60bce77efa077b60daf50e35a3794759
SHA256155235c9fcb6f23cc34f3ff97f556842fd076b10d85eeb4a816967345a1193d6
SHA512214ce71a736ad7d40d06ee0e16a306a500bdc2bc60255cf428ea41ab72185d1574387f358b0974e67b4f1bd1ef625ee27a5723a69b1102fcc38e07b427615a0c
-
Filesize
6KB
MD5f9f8504456f2aa8512b535d0355fd482
SHA144bfd0694c0e2b4b7a90fef4fa7c51a86ef570c9
SHA25655245c7357f3362d02026f8df08b1391cfaded055a1a42c34bd9643ec9c48d68
SHA51242b2f715175c0357e6ac2a15201a2ce7772524302cb9693cf5969d4fd163b3102b525ce9143fa35e9a00bb78a88b443316e5337ba7741ea986634692beccfcac
-
Filesize
6KB
MD500df976c3ba0a70d1c9722f36a4365a4
SHA153e2352d80626cf967bfd9e1246f9efbbe634492
SHA256d7611960a7c0bbc43ca4d336b84cabf621c2213cd1766d7a6a695e84c0e36c1c
SHA51269f5f61e12e586f55a198586030b99e11a9b60ffef61845c66867a2b2852de5907db69f131eacdab3066cacb6514f3d90c15a9c005279d04ba7c2160c69c4996
-
Filesize
6KB
MD5e45d9f38094416b53ba86b79b859673f
SHA189ddb831408a7f51dbe2ec5f1a726dc903743984
SHA256a40935e651f42a409b3ce07fa61e09cf683bdbb800fdbee97746ae785afaf62e
SHA5126b76b68f55bfde4943c19b9d2ac828c9099f1a5b647b2a612c72e3fb1820a08e3527921de3a23e09fcca1020fd9ab98420b4885e1d69eb4ffdce60be15767a50
-
Filesize
6KB
MD50db107cd0d5ed196737d76588767fbf5
SHA1f24609ff7149ffbba77640bc215d17b7cca77067
SHA256bf453a9689680b7242bb698a5a7717392faf79d7bab62dd85c88bd06f38a3aef
SHA512b8e95e6cb96815c9e8b5421b58796a5542b1ffd3fdd006aa5e0cec73388a74e29ed96bd8c9cffb4e7ba08a054f6e48bc3009253e507499b7ebed984c91ef1ef6
-
Filesize
6KB
MD5999abc6dc6aad7bc8598c716cd1285bf
SHA1fb6c06063dcd6ed20c0077bebe137b5394ebd3df
SHA256200dd6361e4984785ce6875d2b351cc6acf712a0bdd8fa7527ad20c069e35f83
SHA512dc52da286001ae70f9498e58e5c2e00783379c0d5fcf7afa11c62e3a72d4ba3c2a982b1bac85bf0aaa708975e0ef944cb950db6ef402e6645fad1766edee35d4
-
Filesize
87KB
MD57f657a8073971fe429afa03754b4ae77
SHA1f6788acfed033c6cc8b2d1d6c313bd808afce7ef
SHA2567432c2f66ce65f2fa159bd730ae346bee059d954b1b915c5bbd5ccb63a4a4971
SHA512235b9594c1548bc6e25e2f24ce6348191111cacbb8065170f1fe95494e438103f66d538f4b1ee8d08531136f86dea22fe5bf836f1b2039f2842111d0b414dc82
-
Filesize
87KB
MD5a3b79fa347cab28e28bc114a877b9053
SHA1a8d39443c7285c32739c7ab151c61f7bb15e5746
SHA25691cd6ce2913e302563b5428e51da6f6d9be56e12638320cb77e34ab81ba0b9c8
SHA512e0c57d86859d4daf9900dceec7b2716469a91e2049633f0f12988982a0a9bc177bbc75f23f9566db0998dceba94f85afec4d01288a41a1e191c8f6a7c71ab957
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
44KB
MD51f5efecff564e3a5424f728370bc9c78
SHA175eab086c56cfc15cb65ce5af253cbe974f87f3c
SHA256ec6fb3470217a659c58cf350af667fc84eaf710bd75b3540a1e69b6ee96f8687
SHA512ac44c781780ca60605fd8c0c577be46188491b4ce380846a95d9060eb197dd2f02d53b06c27667de589582653b0341d1ef6f21b36dd10dc0e4246af08400efa2
-
Filesize
40KB
MD5619af4af177ae18c098c504af34daa46
SHA19f12e2ac12aa78148d1aba4856999dd47d687562
SHA2567ad7ca933a51bcd7458cd281bb9e7e30badb85c919d25572407e5afb22750f5e
SHA512112914c83fb2fce858a38f96396fd8dd5a0d49797c7b847641d5ac21a254511059fd668943f1963b2ec2812c98fb0f9aca631407d9b80d9a7265ebcfa2cb6f5f
-
Filesize
28KB
MD5ae4176fb78eb5d5ccfcdbdfc46a3d132
SHA1933a88a95cb9a7b84434adc7c0061f5a87f41973
SHA2564b56fd3854ed946bf06dbe1675acdb85be4caceb9fb59a94f0157aa92c697f68
SHA512cc420b1c001ca7179eb318c8833f99955ae34e38ca4a42fc54775bfb13ab7b43572c4646b65e13e9dd24f9bba92e187445941d8b556482926ae66198421a2508
-
Filesize
84KB
MD5ad6530e01a4827fba383291847e33036
SHA16ec72ed182478c050807c0e3270974bf34304aaa
SHA256a427377e56a804f82a5bcf07b7d5afae920f8bbda2dc5f52ce6a7f84448a8bb1
SHA51233cccc49302f3c257a3ed3b9d3bf0b2dbb347ccba3b6196a01ac317f83c2bd47c5cb9bf47fb677374b95590d62f5626aaf246a318999a4b07c5ee60c4c4ac863
-
Filesize
32KB
MD5a00acf3af0958898345fca9893cb6f57
SHA1561717e33e2877fd0db99411265186ca468041bd
SHA256b38ad01ad8a22f3f553530b000d6d061356601d308e6a79284605c30cb0674ad
SHA5129435f612a23864ac7e4d22cff927b4155463fdddd8d143b805d7233dd372e9a5975c9a4170de9bcfc3adce4ab9fffdab2937f053e48743d2791753d2dc727850
-
Filesize
330KB
MD5a6ad14845999c5aa7adf2911671a7c5b
SHA198dfd5a9584d1c1b330c2c104c1779bd55ded211
SHA2565af175ffb932fb653873dad095dd40f2ab8d3fb56f287213c21bb68652ddad2d
SHA51232bb59826b82d47ec420ac2532e1387a85422d2f0ce5370ad2c95b914a7615d3b122dbf4dd045105eb8ffea49324dac57659f0e5f2500b4d0eb75047cb36dfd8
-
Filesize
541KB
MD5839633898178f35f6de0b385b7de0ec7
SHA15396e52c45954f0953cc8cf2095b122f7353180e
SHA2565f6563d6bf2f3ceab8b2ca2c15ba4f7fe882a82c1f72b10041b5692c6515a53a
SHA512b0ed4fce2815dcb783e0b9a786178b337d215e6a4d16df1ddb3c28ccdba13081fee1976669d9f99505cf31b8f1e8d5584fd1aa9732e1add38217222726c76eb8
-
Filesize
1.5MB
MD5c85bcc9f3049b57aa8ccbb290342ff14
SHA138f5b81a540f1c995ff8d949702440b70921acc5
SHA256bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5
SHA5125097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7
-
Filesize
768KB
MD5200520e6e8b4d675b77971dfa9fb91b3
SHA10c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07
SHA256763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b
SHA5128b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b
-
Filesize
6.3MB
MD59e0315239f3333402b42c51a4814e486
SHA1e5d2a5f53f27ff704ddd1428b2abddfdf2665205
SHA25680c81808203ccf210fbd2cf93e2d069bad5a37b6f28e25f1a457873fd27c392a
SHA51201390b2ef92ab12b5e7e23abcb2840462a2fae41e139fe4339d1a8555ceb4a07deff88544747ba94068c564709d9fece237c2912503cbdb2e50acecfde65081a
-
Filesize
6.3MB
MD59e0315239f3333402b42c51a4814e486
SHA1e5d2a5f53f27ff704ddd1428b2abddfdf2665205
SHA25680c81808203ccf210fbd2cf93e2d069bad5a37b6f28e25f1a457873fd27c392a
SHA51201390b2ef92ab12b5e7e23abcb2840462a2fae41e139fe4339d1a8555ceb4a07deff88544747ba94068c564709d9fece237c2912503cbdb2e50acecfde65081a
-
Filesize
4.1MB
MD54ff0948bf5e656a8c61a0a15a78012e8
SHA124f1633e373c53ace11461b82743739f439b5596
SHA2568409541ec42906a004dafa15fe32b2e0603bfe80ccf12716f3b2e0cbe5eec160
SHA5127a9e571c39706ff3cc7e2ce535e5a7e5b4221774483e6ab245dfe80240709bce3e0df25298660a72d403058f83c7e965ae71f233724f39c13a7a213627300dab
-
Filesize
4.1MB
MD54ff0948bf5e656a8c61a0a15a78012e8
SHA124f1633e373c53ace11461b82743739f439b5596
SHA2568409541ec42906a004dafa15fe32b2e0603bfe80ccf12716f3b2e0cbe5eec160
SHA5127a9e571c39706ff3cc7e2ce535e5a7e5b4221774483e6ab245dfe80240709bce3e0df25298660a72d403058f83c7e965ae71f233724f39c13a7a213627300dab
-
Filesize
252B
MD5f2650004b13479fd89b2ad0625db67cf
SHA129379ca921f1020cbc67fbe0e7d9e7c7240f27e3
SHA2564766167a0a3a2072c2c64bc740feabe079efb120017df35335f1d6bc73207f47
SHA512f8bae589a660c6363e8bc9b9142e56fa1fb5b2aa07218c0f77d8d132bc4ab94350f6f5ffb3f5d143c61473c4dd65f479ed0730e0e167742f7318ffd471d92440
-
Filesize
58KB
MD5cc476031c1be091dbfff916546112c85
SHA138a9e7d1d1de1b7085553680e89a33d62628e26f
SHA256890ceaab0bce99555a1524cdd39f56b960f508ca71ecd03fea787edb69e967f6
SHA5127ff218556fbe1939e8dcc8f982d289f028d1f55cb4f2f1d700c72f5287fa96894e651157e65e19508f81320d57b5b6eed75791bd1b2fba5b21f7b6a9ec0ec7c4
-
Filesize
58KB
MD5cc476031c1be091dbfff916546112c85
SHA138a9e7d1d1de1b7085553680e89a33d62628e26f
SHA256890ceaab0bce99555a1524cdd39f56b960f508ca71ecd03fea787edb69e967f6
SHA5127ff218556fbe1939e8dcc8f982d289f028d1f55cb4f2f1d700c72f5287fa96894e651157e65e19508f81320d57b5b6eed75791bd1b2fba5b21f7b6a9ec0ec7c4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e