hxxps://www[.]roblox[.]ge/generator/Bpurpss/create

Analysis

max time kernel
1799s
max time network
1687s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26/07/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.roblox.ge/generator/Bpurpss/create

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	discord.com
44	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133664579192128193"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
168	chrome.exe
168	chrome.exe
1572	chrome.exe
1572	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
168	chrome.exe
168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe
Token: SeShutdownPrivilege	168	chrome.exe
Token: SeCreatePagefilePrivilege	168	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe
168	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 168 wrote to memory of 4472	168	chrome.exe	74
PID 168 wrote to memory of 4472	168	chrome.exe	74
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 1888	168	chrome.exe	76
PID 168 wrote to memory of 4884	168	chrome.exe	77
PID 168 wrote to memory of 4884	168	chrome.exe	77
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78
PID 168 wrote to memory of 3624	168	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.roblox.ge/generator/Bpurpss/create
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaffc09758,0x7ffaffc09768,0x7ffaffc09778
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1744,i,4890498521235587344,11514830872285369065,131072 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1744,i,4890498521235587344,11514830872285369065,131072 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1744,i,4890498521235587344,11514830872285369065,131072 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1744,i,4890498521235587344,11514830872285369065,131072 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1744,i,4890498521235587344,11514830872285369065,131072 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 --field-trial-handle=1744,i,4890498521235587344,11514830872285369065,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1744,i,4890498521235587344,11514830872285369065,131072 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 --field-trial-handle=1744,i,4890498521235587344,11514830872285369065,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
9e92355ec48cfbd37d5708ed1a3fae4f

SHA1
43c41b9394d499274c5e6374bf25962eae2b5dfb

SHA256
b68540e0dd71ebc3b54bad821fbbada0302d96fe016d78ac364b9b537fb1e561

SHA512
5269aa9b824590f1daf0efcff5a8c2abc4257e405f88b52e528b2bacb3adceccf5969dc1aa3bdadc54ab30d96ab4423f50c2e5213e807c7b1caa5e7c710d1a7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9ba5043d01d6716522599011ac0a73b6

SHA1
1a32b0448af59ceae9e1e2913783999965866200

SHA256
0be24b2393393319116bf9abbdf9fe7a5ced9a2e82c8113f1e168f6bc81eb4cd

SHA512
6e5630488dab0c6a9ae04301e70207a6bc62b3b2007fe7ac70aed8d47aa8c9e13888ac83bb798200c9924a163f09e81284e6465959409c0fdee63fe8c0bb5fa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
c48858d62f1cf43cc503aaaaf463d351

SHA1
827789abbfeabeff872e836f8116b88ff61773b8

SHA256
cbe56a0674573461dfdd2677d1ba4b5e77a016a8f5137d53c7e8076a82c8e0e6

SHA512
281ae27c1b4c05c675ed7b144a8771bda292c6491972075404b77efc3ac9dddf9dab48288ea363dc28339927f53e742dff5806570154e32eacffa72e909f05b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c26dc084af7bbc1892fd9c452fc62333

SHA1
eb6b97a877b5d8042b8cdbbe6443eb4f8bd0552f

SHA256
119bf87f08c24932a2b2b4ad52795baca1edfffec4eccc8742d5ff372fdf4add

SHA512
5b6ac9e1159a84ed812d5e88c7a955ca2c4ffa6ae647851edbc6f6b2dacaed7580fafebd9b8bcc6beb8e0bff2d5a17c8bc11328aaf59768352614b50edc0a531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
525b10465efbeeef927a3040b652a621

SHA1
3a3bcdaddb85ceeb2fd72aa5874dda980bbbaae2

SHA256
1ea641277fa774217c187943847f03817cdd142af50f855a4e56e952bd6277df

SHA512
71990bbc9a66edd88daf448e47ff306897daedf93110f98dc5a815acfdaf5f46d6c14c010bc854906dfc73edb164d939a82cbbbb18fbdc9ec5e210c088dced71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2060f4d16bf0d37f60d4c16393567399

SHA1
31b9b11c35ffef215d7613ecdf3fc15ee11d24ef

SHA256
82844366acbf5cf22aed090ca1d45e98b96eb59ed7f4dbdf8fe676c331868155

SHA512
c61b1d995f6f6078fc8a4d93dbd9fb1839ecb5b8caf344106e731f782c4ac8b470087e870bb93427eca98e37514082fcb1b4c9af47682101261fdc16133368ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e88cdffd1147db3554bc89aa0c5778dd

SHA1
8e6f718773d551881bffd17a7f097c7127c3b7bb

SHA256
15680f63bb72db4d28fcdf40462688a2c5cbe88e90d8c3f9f40e0d97da035a34

SHA512
3cf9738c0a297f156f1999e2c1e38224b9c21e69dea7905aeb9176d82524d4ff60bd2e92a246ca05d8093eccad8bcd6b6724c5250cd02d9fcdd621b1c3857d6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
515282258fbd65f687398b15db12831e

SHA1
e38a869b78add52f4fa2273c6eee4c3fb2cda719

SHA256
461225ea45631eef18b150f5f9772d69e46f601de210d529d7f63adb916285a2

SHA512
7e9f30a9f71c938ef1b5eb7a546c97434bf08cdf8762d3f632a2f1514ea3633ea37e22c94e913ec6364361ee1dcadd7112037318159206aa61620278c4d17fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit