hxxps://www[.]roblox[.]com/

Analysis

max time kernel
1799s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.roblox.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578446589704012"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
1460	chrome.exe
1460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4924	4880	chrome.exe	79
PID 4880 wrote to memory of 4924	4880	chrome.exe	79
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 3528	4880	chrome.exe	81
PID 4880 wrote to memory of 884	4880	chrome.exe	82
PID 4880 wrote to memory of 884	4880	chrome.exe	82
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83
PID 4880 wrote to memory of 3004	4880	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.roblox.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa090eab58,0x7ffa090eab68,0x7ffa090eab78
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:2
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:1
  2⤵
  PID:280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4136 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1756,i,364681583426749717,8807150032156835211,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
878ef888f90853d277ec95834a2f478b

SHA1
ffb878a4296b32ebbce3970b2ca7229bc0954c7d

SHA256
27d4b5b49ccfcd9eb63f96cfb5d5680cf451a2f53d3f5775d5625cb4eb0adbd0

SHA512
9b9d179bc2610d66d9c370461dbcb9403f23874a61d69fff2bd7854527cc15fa93ae9e052e75861b2fe83971ad9d4c2ec688ba4070940c430193b18f142a683e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
df2d8b6254b80cb2faeb49141aeed740

SHA1
00bd640b7e0ec134b0c592d3c23a4abb1429564b

SHA256
97ccc1095fdf659c74c12d48018cd9f2975e8460143082a4fbe03547b3ab8ebb

SHA512
53f5f876af24288be9c1b110ab79f2f4da28dbf9f8fe245ca234762ce955302d7938ce5a014277586b9608e53c8dcb2086495f7178003ba5275d826377290237

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d2b9635bdf1def46f4c6b55547c82fca

SHA1
2496b61568094a013853a6184bd670cdeec10515

SHA256
3325b683b5cabe888bb622e7fc623c90e28d4f1af299abbfe60a3d74df4418f4

SHA512
86e3dae00a6133b698f850a66da23c9bf3ce7a115f3799c05c9f60946ae6004d488b999f2de30da5251d28abc00e131871713428dc7b42ff2e32b9ebfa2347cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
48c237159befb6295c92c892b34d9789

SHA1
59f1b044ac96965756068235f6a646e47013e629

SHA256
2f0470f212adf860ffc5e921b38f2788cdb248eb658b70b604367f2f1d09547b

SHA512
f78d178c7dc1ff442473bd499e19994e97b76cc184cd75b7c406faa44058f7d6603e4b0febf0454bf1d587da1175156b345460b9baadc856d2cce24a72d24c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
48dc93cf774675ba062e861cc3055179

SHA1
bc1c03df3fe7e3f3e5fffaf69c4b282005394f04

SHA256
7c92e3bd37e62de0ebca67ddc5bfbeb26a319ab34867a8a085b8b12f431892a9

SHA512
500f36ab5d7cbc961f95ad2f7a78f615e241ce51b89015e07be3df140d090e54bf6608d0598f29f9873750d5cbc4b732da6793d9a37b397054e9b6c0a89f700b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
01efdb2ad2ea1fd35ad84c66a1769a5f

SHA1
100ca357e0cd291ea3682e90233bd8b302c5cdbf

SHA256
f6c75fc62579178f8f10b803d1d52fedd4745db02e8c8227d6c0fd4025444a52

SHA512
1342d9e6f5a207b43e0f87eabc36ebd221012d500553ff11ba21dd65c31e47d114350d25ab87df79fca0efd66b2def7f3abaf43f7e5973a1e3dd3b77b638d6ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2afc4f65a8aaa5b4f2b595e2f8835910

SHA1
94e7258afb60a29d8819da31683455427e603ca5

SHA256
5f5e162a9885fd2e6bd2d2e5164bd23dbcdc062e44be088fca5b60b6e59d6a0e

SHA512
74fcb734f99178cacf7544ef84abfb681544514fd0dfd269c22f2cf1c0f210311a9c205f7154fa2e6392d76ac0ce8ebe83454959c0afaff313d99fb11618daf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
659df508782e9da3557aa979721bb17c

SHA1
851118381e3c5fa1650ad1e693c7a5591c454889

SHA256
15b74655c4f4445a5d91e981dfb027311e47f11cce19216d3d58cac07aa422a5

SHA512
4590110bccb62038318f836849feebf5c4e259d936078dfc96f73f6f7b1f564a1f33181e97043f0f28e8a05383fc9423937fc19d5e04da4c23b00e5f6504528c

Download Submit