hxxp://roblox[.]com

max time kernel
1799s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
30/05/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615618247221735"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
1684	chrome.exe
1684	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4152	4872	chrome.exe	77
PID 4872 wrote to memory of 4152	4872	chrome.exe	77
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 5012	4872	chrome.exe	78
PID 4872 wrote to memory of 2128	4872	chrome.exe	79
PID 4872 wrote to memory of 2128	4872	chrome.exe	79
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80
PID 4872 wrote to memory of 3260	4872	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://roblox.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff431aab58,0x7fff431aab68,0x7fff431aab78
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2132 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3924 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4072 --field-trial-handle=1808,i,12846220864247446387,17454271581359919030,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1684

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
62c5e93057179b317269fc0407d368d2

SHA1
4d508fce5ae685b1903a964a646cbc74ef168b63

SHA256
e84b180d27fd51b10bd5e77a43008a79bb7f6a7cf0497ccc6bc9fff64dc64fbf

SHA512
30537f61204b98075071070b524d513bd2a431e6f10e6cd6b21113fbb82155910011a598358b8138fb8596f91f044b509126c26b35c91fe0ff151f2d3e86185c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
aa24abda811b22e998f7a581b9e4cfcc

SHA1
811f193656d12be9950b154eb5869bfd7ef6cf34

SHA256
5a332ff754d4fff683c3dbadd4bbf3390fa803dfa7173e06c0a4ffe74b113886

SHA512
f6f58fa7665c99e7ea51f9ca979792363594a06dd815899cc77c2fd9b154598ce45fdf5a5a37490645937517ac0550e7ee9566c9f04b7afd727a08d3b4dcc252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0e7db13b632d359c5641d2cf0cc3a63c

SHA1
1200dd446df0b28d53cb64e255dfe6817dc156bd

SHA256
4eda74777a4aeab448fadcbdffb43ef32de73b0cedf1dbf0598b6a0ab6f7a39c

SHA512
7d9e11b85354b45f95f61bb0e6647e1c3146a6d8f7e5f8ea81924510a6d8bdf7359f19ca4885909aeb9e3bc4e929e7439114ffb880c28c104c490a9bbf618351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d5a38032779e4e4c8d93c1f1f5773e38

SHA1
35798794c73b80818304158108fe2a3d939f0e51

SHA256
7c45fe468e504a31ea75e8f9b047196906df9ed8dbfa37b903d848fabb64117d

SHA512
526ac4dcd36b6a99976840ee229d182f3666f0e7d24ca1380c26e7e2ebf38bd474c4b18698e3769568907b274ac76b991588e96d35a6015d8c914de47ec06681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
82cdc3e2105cb5f1e24eaea5a555e91d

SHA1
77d610c2fffbce90b868f895533b67c3da78cf51

SHA256
c82639c312bb5dff69021e2abff90531bf3f5ca155dbdc122eb05bc67a937f8a

SHA512
5415cdf0462be2dbb9283ec46fc411a807ec0be9d68439aeb685b63702f67800b824cd1b21610ab717d147de8890ad910d321a349acb1086fdc0994b8c3fbb9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ba1cc893e020204ff889e8d7c5ae83b9

SHA1
097138332e5abaa2bee983edd6f5c5abbb70df79

SHA256
73c2cc67f687f8c95fb0943c9b09289072332616af24fa396151a5d86890db3b

SHA512
4815e56262734c3a2e915344abaa6fbdba7886837007e64db3ae77e0308a720a942115d46bcac504d08ac5445a91e581d1b791a92a5b247814bb41c3e6801af6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1607b1a1422680155a98f1be20b43cfa

SHA1
cc4ac5b9651da03c0060f782791574a7931d18bd

SHA256
3ff3d85471341c0dd58d8bba502517046072459727671167fd606906e5449d0a

SHA512
dbddccd1091113842918c878fa5f63df040f4cc2525e92cdcc279527124318cf4380ed152fae1106e010c4092ea295291ab93895430f49e2e9dac1a3294434ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7ccc78f7dd51504a3faef37045053f2b

SHA1
f693cefadfe44c35d908d8cd0666172182cdcf0e

SHA256
c245e56a50cf67b36b3add1b35cb2237d041d6d033522d5bbb42bb8251c7a298

SHA512
285e8c1c8def101bf1d23c144f5f24c3a3f8d2a6f055571528fd8cd0c7b7ef8b351b193e1c7a57990966acfd9d7382b15a83b66789f4a3096a6773f2974f6468

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
e4c1b6f1d0c2519558868a9e86a386b5

SHA1
6ec4d767d762aaeb31a507c6346c015af44c651d

SHA256
744aca0fe8be779ca1b1d4fc90851f82e4f57d0a9a26974c2a6780d9370edf76

SHA512
83f55965f5846c0f9a708609c17ffe66b4c3bb1d5e495d67919fc8179d6e79eea3b21fc0695c736898e45a710dca63bcc8f89798e0c20919258c49d7353e650c

Download Submit