hxxp://roblox[.]com

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2023 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133468452781777149"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3868	1712	chrome.exe	36
PID 1712 wrote to memory of 3868	1712	chrome.exe	36
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 2392	1712	chrome.exe	89
PID 1712 wrote to memory of 1476	1712	chrome.exe	91
PID 1712 wrote to memory of 1476	1712	chrome.exe	91
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90
PID 1712 wrote to memory of 4788	1712	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://roblox.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb34fb9758,0x7ffb34fb9768,0x7ffb34fb9778
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:2
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4728 --field-trial-handle=1896,i,13310684347954030160,4261957530063414981,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e3b7e863b5b3263cc702605e832e2d77

SHA1
e0ae26d735a58abd9d819407749fd258c012c0af

SHA256
b8c60c4e2a695bb0292bb787228d66023031227e529b45697bd312b071baa7c1

SHA512
6ea2cba1eac7acee168cc33a039f91e5ec53b82b38110133671fd60bd50fa0713dc8b31f41dfe80edd87c04f303ec73de2f548927e9c9613e65f4b14a01e443f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1af3462f77aa2aeb4cf3b9a2f1acca4f

SHA1
c3539bc0fef49d53a109949fe3b27b525b50420a

SHA256
58597bf602013390a629efb8f9f8bce1d7a1ff451466e1e7bd4ab4492e35ad6f

SHA512
9deb7af942fa3d9a03ab54bd1446599b7a8f9cb50d8e3a9b0a13fa5f4abafec8d66862e443224a37036a8ad71e51f9b38512a512014299145dc77d80cd4a8a4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc2837f303553def55e5c95e0b2d0a47

SHA1
b34c312f78d845d3298fb7399f3ca9703862a039

SHA256
ab3b8178953a8ce03279eeea70a123764248d1621e9f5ea8befd06a272eca83c

SHA512
68235614b927564c577814ed0fe803b115d6935a8f824ace6a489115fd45373b0c4c4725e2b52a3511be37c7cd92122ea917ea060c2acf47556ea8fb0d2fb198

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
69a6f2632110588e4b30d34a41f0bdd6

SHA1
357c55b9088f6297a142cc34aeae78b7d97564d9

SHA256
6d046d291ff4ddcfa1df28be7eaade2f03433e7306a0f894e2509b764e688483

SHA512
3166b16a792004ea6cadd8cf69c72686b7a7d0bac6dc552163ad069a170a2b17a45224c60470d41202943eb38fee91fb2e1cdeac9b0a3d67964aed08e2067567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6e0d58c0bf659a25a4fe75997c0d7578

SHA1
1c47e0deaf7920d8e1d14d9bd1b1f36e467514af

SHA256
dc73690e866e996e1bd14feba5961a2906dd73be3f3d987385547814772f345a

SHA512
b9cb5df25563e2d10a087dbc43e47d7fd108c2515b66f965429e46fb7d7be0cb83e1095c2a05232a70a7d8214f8f84ee394d3fedbdbf21266e7374ac02276b95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f5365178de56010eaacece191391c1a0

SHA1
0109213c72d4fc3f80829960f7b84308c020d0f6

SHA256
8ac7d6e8a2aeac046fd0b89224004946b0dc2c2da85da71ee3103c378b350a47

SHA512
68b257dd477b4e8d53d3d9c898566cbe936b429ee17163db57f8c2210967b58560f6353e9f9b5454cc60d8869f8b7cdb7aa8ccbfe81b2530c861342d44730af3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e82c1eefce38b9e72f6bcaa85b74d773

SHA1
dc76b3031cd78320b973a8b428c4ea1f0ab5143a

SHA256
48f698332fbb1edbca3010d0fa73d6c1c00d6cd3c226a853f03c714710c506b1

SHA512
cee83f2b71156bfc5fb20f789718f81b26b7be270a40ddc1b1ef7422616b4df0cf257a9708395aff6ba0786cc11c0b7ba712c180ffe1a7472bb52e56c3b9fa0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
c9f440822856bd7de5a57cdb32af8f63

SHA1
0213e915b2e71b1b2796fa94e68d74b7d1a9c246

SHA256
6648c0851d00ef74f4562588d41f0678a10a2f681cfedeb50709234c9c043d80

SHA512
75cbad01a53801051fff068982b769d7a8aa0c6980d0151549e48a49b19f8017797d8a22ac254c34a3c6418f1857fd586325f7486c5129be28119881b589e963

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit