hxxps://roblox[.]com/

Analysis

max time kernel
1800s
max time network
1690s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2023 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://roblox.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133437819802208907"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4704	chrome.exe
4704	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 1504	4704	chrome.exe	88
PID 4704 wrote to memory of 1504	4704	chrome.exe	88
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 3824	4704	chrome.exe	90
PID 4704 wrote to memory of 5084	4704	chrome.exe	92
PID 4704 wrote to memory of 5084	4704	chrome.exe	92
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91
PID 4704 wrote to memory of 4564	4704	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://roblox.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7cce9758,0x7fff7cce9768,0x7fff7cce9778
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:2
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4632 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=744 --field-trial-handle=1908,i,1884753951089094005,11674450610545837596,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
529480e3a228967e1d38e472f6bb8c22

SHA1
9d9d5798bdaaffce4a061459e47a28da42cbc45b

SHA256
baf5aa75a37af9eb56095078d2fb4767a6255a54c48bdc7650445de9b43034ea

SHA512
bc87de2ded8c81d84dc5e4a897cb3e7fa2a274ee82017e253c30063cd30ed6586c8e2e69fa04b5de76c52380fc07f4947e6664a46b91fefed9c729843cac0fd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a0aa97adef5a5bd367c002b63d29a0d4

SHA1
2d7f6f7660094abd481913207d1f3a43d5ddd62a

SHA256
ce8d38a82edbd79af559aefcfc8104d41b310cb48bcb2c2d5915dcd390e68979

SHA512
d1acf868ba574f32397db5448b5c5604c9024d2ffea8e4ac97cd4c0c6fc4946b52aa8ada265250b36ade2dbdfef54d30675ff1fcf60aaccf2b8bebf41ed0bb8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8285c57217bea7a6ade1178e85ad2cdb

SHA1
c0bd957900757398a99ab395dcb16079d1afe05f

SHA256
db964108f6c7ad22d814de08bec5a6e749dae7cb87ed2a5d9a08dee2062f9d7c

SHA512
91ae0a0951192a4021484ae83acf593a301e96e2771c09b9b9d1d41d1bd2ea5f53b223185d048f428eebc3f66807ba7fdc8e40d04e400717b1e8761c5f05f918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f9c4b5ed88b85b6c38ffa25417addd8c

SHA1
23f67dd01b85ae491db493365dc87ab6b4310ded

SHA256
baad079a52fdf0061ad3b5c26d52234e0986dfe1cd37f87a9c86bad2d403f285

SHA512
2b01f9a5b6b6e4ac95f303fecdec2c5b96f0f0baadff9c2ca80b245c39850ae2a9c92f57af54c74195e4432c8cd5d2255bb89c37e55a260d0890067de433270c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9474d7634cbdcccb0c562398783f5435

SHA1
33ed1de2566617da5f756323a8eee53804c038ad

SHA256
266e47eb6d55d59f014c5273f4d006d5421b90937e2363f45f3703df28eb5769

SHA512
a0f48ee59220ede6f023dcf5c057c09cad2f74fc4067737c131455a3c461eaef26655d817e1612f22fd74f349f9fa2b5a14555325aa717c804db92e215a3355d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7d8a6f0aedd139a879d25c45623dfebb

SHA1
0758874af5e0ae18d17ade4725f7ea1a7867a0ed

SHA256
384299476f1fc523ff4a44b1907546882bc70dd07c34c2829d05bd6f8e84cfba

SHA512
8919a10d94c096509b630af01412a35680d93b6fe11d37eface06939d8365fe636ca6d46893257c2997beff5e8a112ffa96ce7442a5e077cd082f72e810e6b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9adcf73f27a9ac9b2ca044c0d24f40c2

SHA1
8807d5fba14a06a43f62827623ae3b21f5624e24

SHA256
517473c96353a4f7e39e98da68866c45e98789ddccdd2b47306bcaaf4526072b

SHA512
eef2ed3237f45cf1159e1c4afbbca2aac0af489c5e17d0ede0ddbf6b54dceaf3748eef9761238d30b5deba7f2f6f63923b9698259a3ff2786c957c6d0e594c3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
f4beaab67b68ce66d54c4616c20003de

SHA1
d4484dc35b78c40bf411d662db5d99800ccde3b8

SHA256
212922d97fee3aa17f76b7644822a193c5debd0c5612eabd3709c7d5bfd58e7e

SHA512
8d1387485616b50d1b07fbd947c20717e153f1c89a1034a125e56546e9b655ad7dd889c585b844d3a8a803eb1b58c894dff432174724342a9b6be5401d6fd0f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit