5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e

Analysis

max time kernel
44s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Account Manager.exe
Size

5.5MB
MD5

eb54116db322c49ec2faca86f725931e
SHA1

c703685ac6221d7de624039d7351886b21ca53fc
SHA256

5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
SHA512

ef6ea52df848bf8c7c77831ee5ca64cf337a92edbb0e8d0d38844e204157545aa3c397eeea12d05f276ce4984f519a1a05cf21bc04514fbb35beebf86d7f8e78
SSDEEP

98304:8H6+2bT1Qm7d9G3s2tIfKLUXk8zdywnr5a0kqXf0Fb7WnZhP+MQuPN5Ppauz+l:5Qm59siyLU0lY9a0kSIb7aZhP+MQuPNw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	Auto Update.exe

Loads dropped DLL 1 IoCs

pid	Process
2844	Roblox Account Manager.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
19	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Roblox Account Manager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Roblox Account Manager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Roblox Account Manager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Roblox Account Manager.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1636	chrome.exe
1636	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2844	Roblox Account Manager.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	Roblox Account Manager.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeDebugPrivilege	2908	Auto Update.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2844	1900	Roblox Account Manager.exe	30
PID 1900 wrote to memory of 2844	1900	Roblox Account Manager.exe	30
PID 1900 wrote to memory of 2844	1900	Roblox Account Manager.exe	30
PID 1900 wrote to memory of 2844	1900	Roblox Account Manager.exe	30
PID 1636 wrote to memory of 2692	1636	chrome.exe	32
PID 1636 wrote to memory of 2692	1636	chrome.exe	32
PID 1636 wrote to memory of 2692	1636	chrome.exe	32
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 2476	1636	chrome.exe	34
PID 1636 wrote to memory of 1656	1636	chrome.exe	35
PID 1636 wrote to memory of 1656	1636	chrome.exe	35
PID 1636 wrote to memory of 1656	1636	chrome.exe	35
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36
PID 1636 wrote to memory of 1440	1636	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" -update
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb8b9758,0x7fefb8b9768,0x7fefb8b9778
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:2
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3216 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1472 --field-trial-handle=1212,i,3472561901750994071,10089745152994224567,131072 /prefetch:1
  2⤵
  PID:2324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
150b2948db20eb26a893e0245759fa01

SHA1
f19d2ef084992046170d5d8352c78e581cf61007

SHA256
a38d3e3cc1572e2a639369166ac1a16c4769cdace262f31a8f42dfc22ae32485

SHA512
b4be1f21b66d22f2ecc1b94d6b8a1c9c99fe9742900b23878535177ada5dd0daf1df1f78616089cf488b31bc69e851b0ece12aae5eab6b6ef5385692ed141269

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e06f23c4b3cf9b2e5657fea78d3d3f7f

SHA1
75b0828a3d06f7c366fbc947a70c25e5a3731dca

SHA256
5d7dae16591cc74fc5e35de0d96bec468045599938bdf797a427812e73444926

SHA512
a15911a03c66a29d3ad59a0457196f20755435d62787af8dbffd4c9a72393da09bf5a9f014ad43789b5812e23c4bc2746811876861d2ec131cc2170c8da4fbe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f20da73cadc37c63bc8012ed439d4e5

SHA1
a971f7259ef0e5bc21549646ad70c8a4969e8588

SHA256
9b4c65b43a8c6c5aaa352a3515a6b6acc5bc3411824f2e27b6cd16486f6ced94

SHA512
5f1ace7c8f2e10008c2c51b87ecd98f3871994c01bd94cd6c3c38dad3c7dfff562232ce5d707ec04f6bce50936b81df059ed19ad8927b45ccd9e1a332a141dc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53dde38017a982b95c569c0b3d306d1c

SHA1
ebab8934c1c49dedeab97243fa6e14237a802113

SHA256
5058416228660bd1d83731b0174f411c3085a35830b933f552d7e847e21d6072

SHA512
f1b70a58920f0ffb37bb3b6c6561ecf55826457d8a90737fdf9a6ffc4be9d0756e3934d055cd62a82f303b2ec366a9043ce554166a755b3bf4117a5993f91789

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9120a182a25be6ec128e680e88b423d

SHA1
fefcd5df3f7faadcb1648e32a099fecdd811f8cf

SHA256
d7d2826cb8039625f085508a6b8ae9b92fc39c0118cda24fc8d033d3bbe721a8

SHA512
648dc955627e94e45aceb9af28046f4d45f41b794ea637660b44988304de8d8904c0e71f191287f3b4efe11546efe48b14ebd310e686a713f4ce8d65eb586c2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
768e7321a0eaf5794d1a88799be5bf70

SHA1
2b6ccc55a5cb96af2357a1a51aeeaf0681db0de2

SHA256
05a9917ed18e503ec730da625d3d97cb2c92c4d88638aaae7679232a7ab8dd5d

SHA512
dd152b75c3f937a6305c4d16d1adb663957b50745a7f6b9960c3a64eb69606db259b5758407ca4bd3d62e2438d85cfa6925420e1e6cd86805a2d9f3ffb02f291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\217e01dc-e5c5-4341-9f14-fc14f9e2ffe3.tmp

Filesize
987B

MD5
c52943836eb7cf2d6ef453a0d8083b2f

SHA1
b42ef3d69c405f70f00f6a69a719875ad075c155

SHA256
100ec0d850b8f99ac0310108c603425a34c0f479952f8b5034124549c5468dda

SHA512
01f9a120cd56a69f3f1976d59faac60a751ca735588a31f13339b8dc349e054b892f1247f302251dd91d91ed1057a38a971cede8822d7b47080179ad76562049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
24d6c4ee534e779ce8ba451d7e90bcab

SHA1
6e3ad598466e0a7bebe784325e2b9b6d3700d388

SHA256
cd4f657609ee12e7c71587b483288561a3b92c99c40ae7c115aa89ed32e75a94

SHA512
6db6d3550d2f6a921c19ae265ec02f5c755f93cc735e10ceacc95d746736be0cc08ae01db9e6b6318a994f5f3d3493378c883e5a7b5fcaace009e4c0d36b1677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
8f06358d726fd7c317bae82c6d01feea

SHA1
4aa55d42306294dd6d04efc15b05ba3b6c26949d

SHA256
4c2f54ba55d80d2d8387ea9f9569a4391405a1dc83cd9adbb9567f53659d5995

SHA512
687319cd9595b1cbd0f2e3983d1796ab2e5d2d0d6af4887cc9f0a88c01f7f10dcead1a6d29e94333ae3d712f534bc57489cd11638a53f2bff9f74c0c6972324a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
85c4d56f65025209f7b7b4033fccdb10

SHA1
b2bab67764dff3f56b3c84ce689b9f2186b271df

SHA256
c2740bb2a63021ccd267904f4d071c2f2491dde4e1621afa2e9817ca82b34788

SHA512
7378828e675e2f49a80c27dd8c57e9ef0cae7b03b0a615b70fc794aeb7f622f4fcf6d85041d628a78979361be0645b4cbd47f1e9b8de0d5701377a2a6627e10b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1c1e2543daa9d8ff077fc4eef366ec16

SHA1
e9b3916d5bfd928b8de2b3a9b564749fd5d65654

SHA256
a7cd4b4922878abb7f7795074e5cb0086f1d75d36d5130fa78b9ffbd961466e5

SHA512
3d643ed2404fb53972e440cd757594958b4c9e23fd0be1d2b7d3556f1e13064c53702e5ae75087d258d4d6c6741073d0b3a6030182bd9159ce2e05cd678fde78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
480ebba72e39a2626e212e4145b95863

SHA1
8838f10541618c54d9ab4ad9144b836012d4a632

SHA256
c75cb8712f9900ba659d032a7ba0ddf16e2be6e8bec1f85697909c280b81f6d7

SHA512
de93bded8d1a44218705dbba484bd98c11ebeb80b9fe6e1ab773b7b03d2f8c0c3d976d4eb471aab5a3bdf19768e2d3199ced190a5d4c52252bf042d929dcaaec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cf9f360e-14da-4eaa-a147-8810fe56bea4.tmp

Filesize
4KB

MD5
3e798c7c82365ca768f15e99e461c729

SHA1
5156375ebbead5b157242da33275fca6650cbe04

SHA256
d89d6f53e9166db11a594b09b69a064bd1e7097e6c95fe857d06fa708361675e

SHA512
7dc206e47251ec64615cb11c971588e4d2f5f6bd6043a96d8a81f9acf92b163751e8592a4d4460cbae6803fafd59d138e72ea33afab3268c6857f41ff3a9fa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab560.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
1014B

MD5
1d917eaf5dcc8e06dd032c33f3a3d36a

SHA1
1eacb4eced22393fd5140910d30070f2e054e2fe

SHA256
787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f

SHA512
3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
6KB

MD5
d5e4966de947333592289d70916257a9

SHA1
5907df0fd07df6c33926906e94f4ed08d40be017

SHA256
d726d47b772a70fabc777c8ed46655fe5200e672f01f11dd95c5f4994e0a71e0

SHA512
c618054766bee664f0605a037f065c196c35495ee993b305f0bece4738ec9f7bd632dc8fb541bcf9d156f12e115455f31dd8db2a8cceb9d7d2f0d05d501831e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6E9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
\Users\Admin\AppData\Local\Temp\Auto Update.exe

Filesize
5.5MB

MD5
eb54116db322c49ec2faca86f725931e

SHA1
c703685ac6221d7de624039d7351886b21ca53fc

SHA256
5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e

SHA512
ef6ea52df848bf8c7c77831ee5ca64cf337a92edbb0e8d0d38844e204157545aa3c397eeea12d05f276ce4984f519a1a05cf21bc04514fbb35beebf86d7f8e78

Download Submit
memory/1900-6-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/1900-5-0x0000000000A80000-0x0000000000A9E000-memory.dmp

Filesize
120KB

Download
memory/1900-4-0x0000000000A50000-0x0000000000A76000-memory.dmp

Filesize
152KB

Download
memory/1900-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/1900-11-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/1900-3-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/1900-2-0x00000000004F0000-0x0000000000536000-memory.dmp

Filesize
280KB

Download
memory/1900-1-0x0000000000D80000-0x00000000012FA000-memory.dmp

Filesize
5.5MB

Download
memory/2844-33-0x0000000005870000-0x000000000588A000-memory.dmp

Filesize
104KB

Download
memory/2844-22-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/2844-32-0x000000000B1A0000-0x000000000B276000-memory.dmp

Filesize
856KB

Download
memory/2844-30-0x0000000009060000-0x0000000009112000-memory.dmp

Filesize
712KB

Download
memory/2844-325-0x0000000009030000-0x0000000009038000-memory.dmp

Filesize
32KB

Download
memory/2844-343-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-28-0x0000000008FC0000-0x0000000009018000-memory.dmp

Filesize
352KB

Download
memory/2844-355-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-12-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-34-0x0000000005FC0000-0x0000000005FC8000-memory.dmp

Filesize
32KB

Download
memory/2844-21-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-20-0x0000000009110000-0x00000000091B0000-memory.dmp

Filesize
640KB

Download
memory/2844-19-0x0000000005A70000-0x0000000005AA4000-memory.dmp

Filesize
208KB

Download
memory/2844-18-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-16-0x0000000004C00000-0x0000000004C74000-memory.dmp

Filesize
464KB

Download
memory/2844-14-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-354-0x0000000000CA0000-0x000000000121A000-memory.dmp

Filesize
5.5MB

Download