c39ed858478de61af49aa465cead803ed4442c890973e2656b2d24c946c5d466

Analysis

max time kernel
117s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxChromaRGBModSetup.exe
Size

2.8MB
MD5

dea5ad772d800f1306ddc562f9aa877c
SHA1

7cfd0429c3eec3ad87af9a5ad6be4079d4d07cd8
SHA256

c39ed858478de61af49aa465cead803ed4442c890973e2656b2d24c946c5d466
SHA512

c8b23aec26eff38358a8685598609863f3d2d8f030a01a13211e3c4b74f48fc126f8805348f351e5beb389f1b7b19ee6cccc30501b0d7362cd7238e17937c5f7
SSDEEP

49152:4cW4fjCmDE9tIGt/VbvhgPgdlB8ceq2Khoto14t81meZRHaTXXt:4X47C6uz5VbBB/eqvid81meZRMnt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2704	RobloxChromaRGBModSetup.tmp
1932	WPF_RobloxChromaMod.exe

Loads dropped DLL 4 IoCs

pid	Process
2112	RobloxChromaRGBModSetup.exe
2704	RobloxChromaRGBModSetup.tmp
2704	RobloxChromaRGBModSetup.tmp
2704	RobloxChromaRGBModSetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-RCNNO.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-3T4K3.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-2EOVI.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-QM0OP.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-FNPLC.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-6QQKP.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-3G635.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-5KKBU.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-ARIGV.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-DFTE9.tmp	RobloxChromaRGBModSetup.tmp
File opened for modification	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\CChromaEditorLibrary64.dll	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\is-RK7BU.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-T8AA7.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-OVMOM.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-C7GOL.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-EN77P.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-9I18H.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-E4JU4.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-PFN6L.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-GFL0U.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-CDH1I.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-REOI4.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-SKGMS.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-H1P9Q.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-KQB94.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-C4U2C.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-Q9GFJ.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-BKUFI.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-Q1AE3.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-12PVV.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\is-1KGEM.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-7UJ1O.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-OME0O.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-NE4LV.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-BNG7S.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-GUVKO.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-UPTED.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-1PG6K.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-HQ0UV.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-M4C98.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-K75DO.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-PEM2U.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-5E5MO.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-IPUT3.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-VKI13.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-HMU23.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-11MND.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-JGK39.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-962EN.tmp	RobloxChromaRGBModSetup.tmp
File opened for modification	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\CChromaEditorLibrary.dll	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\is-N851S.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-39UOC.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-P8CDT.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-8KVBN.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-9FKBD.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\unins000.dat	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-D43J1.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-QHN5M.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-ROGVL.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-AB14J.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-ROLU9.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\is-398DM.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-M56M8.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-RICAG.tmp	RobloxChromaRGBModSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxChromaRGBModSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxChromaRGBModSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPF_RobloxChromaMod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000009c0007f5a5c5256df6144b3f58c9b436f32e7cdce046330129b962bf61896e5d000000000e80000000020000200000000b38e2e977282f7220dd390f33f7a00f24d38976094ddc38f1768c047d8165ff900000008ecd8ffc2d49bfc7c086babce7fab7f0486b59ca359b4e155e128ac579aa7eac21069346b11446f174e9e296b22df88e844d6408711aecd18c88cbd7466e6e042191a240948714bcdf296e0f932aeb6d98f7e3342e3678f271691e19f1420d5ea3cf4541b69bc12d4d6a5ad3951492f2bebc6a0076a935cd0c1873e320aabf4ce733e8b6bd662cca913a4d533a1aac4c4000000044a5a45c72fb41c441bad78683ddb1a81ec600d8418557ea4b72323ec819081c2345f240847033ce2bef6ce170c67e211fa8ec7f8db796ab53ac2ffe1d4ba114	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000751cd3a89f76ce1c0a11e484af7bd6b1f79adf7e6e357f67c3bd60d763615b66000000000e80000000020000200000003384a3f44e6e3e25f517508e879dbe15efd9196dd0dee187f34459e6dec98c2b200000007bb6a3e1c8fa706c8324647ff5b491fce5ce90896cdaf0442a72148e7513be2440000000a59ed4e8f5aba7d8d7b036eb40153a54d78f7af1aaa928356d9f5384484f9165c1f9f79a952d9246061716a36a0291c10cf62e2188674654b7513f2fc0a89a3a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433708047"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F7A4E101-7DC2-11EF-9C5B-523A95B0E536} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10866fc3cf11db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	RobloxChromaRGBModSetup.tmp
2704	RobloxChromaRGBModSetup.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2704	RobloxChromaRGBModSetup.tmp
3028	iexplore.exe
3028	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3028	iexplore.exe
3028	iexplore.exe
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2704	2112	RobloxChromaRGBModSetup.exe	30
PID 2112 wrote to memory of 2704	2112	RobloxChromaRGBModSetup.exe	30
PID 2112 wrote to memory of 2704	2112	RobloxChromaRGBModSetup.exe	30
PID 2112 wrote to memory of 2704	2112	RobloxChromaRGBModSetup.exe	30
PID 2112 wrote to memory of 2704	2112	RobloxChromaRGBModSetup.exe	30
PID 2112 wrote to memory of 2704	2112	RobloxChromaRGBModSetup.exe	30
PID 2112 wrote to memory of 2704	2112	RobloxChromaRGBModSetup.exe	30
PID 2704 wrote to memory of 1932	2704	RobloxChromaRGBModSetup.tmp	32
PID 2704 wrote to memory of 1932	2704	RobloxChromaRGBModSetup.tmp	32
PID 2704 wrote to memory of 1932	2704	RobloxChromaRGBModSetup.tmp	32
PID 2704 wrote to memory of 1932	2704	RobloxChromaRGBModSetup.tmp	32
PID 1932 wrote to memory of 3028	1932	WPF_RobloxChromaMod.exe	33
PID 1932 wrote to memory of 3028	1932	WPF_RobloxChromaMod.exe	33
PID 1932 wrote to memory of 3028	1932	WPF_RobloxChromaMod.exe	33
PID 1932 wrote to memory of 3028	1932	WPF_RobloxChromaMod.exe	33
PID 3028 wrote to memory of 2020	3028	iexplore.exe	34
PID 3028 wrote to memory of 2020	3028	iexplore.exe	34
PID 3028 wrote to memory of 2020	3028	iexplore.exe	34
PID 3028 wrote to memory of 2020	3028	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\RobloxChromaRGBModSetup.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxChromaRGBModSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\is-I02LV.tmp\RobloxChromaRGBModSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-I02LV.tmp\RobloxChromaRGBModSetup.tmp" /SL5="$4010A,2207760,821760,C:\Users\Admin\AppData\Local\Temp\RobloxChromaRGBModSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe
    "C:\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=WPF_RobloxChromaMod.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe.config

Filesize
182B

MD5
c6376b7cf21791bee55ce91ce487b80b

SHA1
ea7cc1b2e62a65fc26e026ae8b70f90e5b9fc839

SHA256
eb217cd4aaffd7c0cc720e9bb92f5e8d4199bd678df9e8dff7a07182d3568081

SHA512
c4413cfb89838b48b913f2383c53e5933ca0820f2c31ab7d378bebd2dd7a7ffbed8221c20c7ce08657c3a3281eee8d0d1a7aeed6fd3bb9f68374f09e63ca5de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad49e2532dbac9b4e34d0475d5dc85b6

SHA1
4790502d02e5edf5f72be19c8911ff181adb6ff2

SHA256
433cbeb8ba24b0b9674521fd9a8766c1cc90992c2f7177f1563bd0072b5ca3ab

SHA512
399040d6d951ded7f271fb69a6d651591486e75f26fb877d497a595bc51d15efc733bb7d6bd13a8c096ebd9a2b4b5da725db7634fb7f0536dcbbdf6562520600

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d24ea22c095de1429789390165d8e773

SHA1
e932e28ebece6c385355137432b394067cad071c

SHA256
7488d490b2e1a52d05afb6ec9670ce6b2de7f5fc95e6241daa23b610ea181e7e

SHA512
013bfa765494a064fe3b3dd03eb6e0447ea1da5756df70d9b96a3526170f40cb458ff1f7a0f39f06ef90ab518229438fe813a16e853cfc457c51a55446350f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9e7aee6d1a2c8da8590dc709056cefc

SHA1
a966181b202ceb5221b6b13b34c8a96d32a7e9e2

SHA256
5eda4d503d141533382dffaafbd596eb135963424d363685b35820e64c84ddb6

SHA512
3edf9306ba01a75fa01c1b74fa3be63a98cd384a784f29cd1e91bfdc38c2085954e6ae04be2b9d5856714d3556ff037eb6c48b256c0741ae4829d1b8e22bb8a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2adbce7e0a6bc1ef47eecf8db423c33

SHA1
a4a13776009418385ad3f0fd1fb62c9d98e0fbde

SHA256
f840242a421753389977ebeb3f0ac227ed7aa9bb54660bd0e6c353a747501505

SHA512
29036ed7e1fb7a1c78cd1d8434a67d5f5f403104f94ee136c2357ee1d26d734627fa847067fe9df985deebeee02ad0e4ddc5ee29b95f7454a1bed3dad456ef5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
513d6c4022d87f388c7db1076ccb419d

SHA1
966dd4b0030f9c1c578ea46781c93056bf81a681

SHA256
094be10806cab9ad634a021d82df7bc4bf14434576ad50802f18650c22d17acf

SHA512
eb8179c092c99f8515dee80c25801ed44b871b45056702decef6bf89174b850124a105a243dd31d5415cb37b2742314dd60c8f249dbfd4c3b35832673b974f22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
919ceaeada4ad1d21d7de3009d3f758e

SHA1
33a8d502f7b3c9a1cdcc449cb77e552558a4a631

SHA256
eece380fb6418d4dd1ddbbdc32fb556eb73f6845e37fa7cfe9c2d0439b503905

SHA512
e6f377434c9d2bb07f4816c29d0cb55315f5913dbd2af5100a0112dd8b20ead6a59eda564be1b94680006d9cb1783c860bb3d77032b0423551c075acadadf663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26924b630b94322f151703ffc23462de

SHA1
bc7983132c596a12e84865e2c3dc67e22bb30abc

SHA256
73980757e7ed44eda27bbf4d89e0870f32d7b0c7f835ed41c77bbcc3f17f29c7

SHA512
e1556cb7d734e272dc95e2f4f3516f2c94666d092ab83caeaffe14585b89bd8dc9720b445d42b3f9d1eba367dfc95003175a8397050177f46a0e3cf7436fbc50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9bec8f4e8dc2ac978b3d6551ae92155

SHA1
92a655d57c237207f50a826584252bea44cedae8

SHA256
6b91df6370b4fdf5cb27119074078c055636e01f846ce10016a362360900a209

SHA512
ce6a7f65831fa1c02d2f587e0e7130b2e89c11a2dec157956a67b7e0acec5b868c3d30c2e2d058b882541fbcfeba576f3fd071705bbe38371da3ec6ac60c66b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
218d573bb1d313cd89f02f4de2541ac5

SHA1
25e744154597a1397b837b1af80ed332dfd18c71

SHA256
1f5206eae3e2843007848176ffb550e617e6102bde417db93c8ee874bc709968

SHA512
a94edb2bda4df27b623fa280459124d4ef5220790c1ad0de88b1fa07cc491c649b25eafd90cbdc1f86e08229ec4271c3f20403b14053dd3c8f41677b30236c57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e40d436626437786ff9856fc34276de9

SHA1
12a93d47fba8459ea3426289cd1832a8f656f788

SHA256
a9472116f1e97facb38205fe2da3d4787fdb3ee0aa9bce644279c7d37c0e0715

SHA512
df0b70201dff287268cb2b7546593f0a03c12f9338f26b4819bbc5e93ddcc6bdfd6f854014b5797d9ea96e6968ce1594650d41a0a923f5f7f6cb47eb90eec7ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77fc2069999f5a9d7d38875ed3585c0c

SHA1
cbfbee4e3a168dea3e566f28a4915f20e6ef8e47

SHA256
fae9b13483ad928cbecf8fa0543e84b80001a99420135496c34d91a81f6be107

SHA512
af40e7d72b8684a37749bc0b4bee9b7eaa5c5917816ff572aaef17b63f55bb5f85e9d5967a2eb62aed67c06f21a9a4def2b32428e1ebc26a8a7e07f2e9e159c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0ba8bc58d6c869b2a9da37aaefe297f

SHA1
c172f3fe4fae0533aac8f612c02c0cae5139f13b

SHA256
d1e047b37a67ee67b3ec15bc267a04a8a120c674ad41fdd1806ba8f2b1696795

SHA512
abc5bcdf94b7c3f821baec5cf16a24ab75c8806090862f87b48722e3d5c015567c7c937bcfb4a620f5aa5a5c6176dc3e06a2cb3c3ee16d5c3b715a040998027d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42bc1d11d94b7acc573bb70ba26b1735

SHA1
89c75638a30ea1b2e530ac073260afd211ea2d9d

SHA256
32dc4fc927a6b3926785063bb145b7d54fd25ffe83476058ceaf817f7a91d58b

SHA512
be70434e30a9faae0557bb1b8d8b994f694796c43b60aac4d66eb1df92ae735fa0fc87eadf2ac55669ba705f8604453b5f2337e874b70dd74adc9b3bfea5ce0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ef5e605d165ca79556358f4d1dbc77c

SHA1
d0dfebdbb34139290fa72c7e9d01a63a1c462f6f

SHA256
d2e6b63f479312f86e819ed76ecbb30a3ccbad3b76dd51fb370ddb0a18c357c8

SHA512
097aaa4bf9cd5110954d1e8f21453aeb433c1776ae6f4a7eaf8a45defdc1048464e95287e7b0edd9b7e90fb914bffb15184f29a7bc94b61ea2149593e89638fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eef7157f1f3d1c27a3a27b384efd5bc9

SHA1
edd69321b1bdbf2a34ddb4c1131b4a7705bd80eb

SHA256
a5c1df865dfa9fb1781bc42780578032e42fec323a4aa279a9e7fe7285ef4bf5

SHA512
d1c48a1677d36936a3b63561e8cbf0a23229c36b6ed3c124631d0bd599f453988c9bad213c831b9054e1fdb8de008ae7c3cfe99081bfbf75dceb6a1323f0ea8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b44c8f3b2daafb48c14b26b6277ff405

SHA1
1e91cbd74c25eb54f95138b0e8064ee9fa71256f

SHA256
5f5e2e6f928be7a19ba1210fbe94aced8253c00b3cf381ec7ee7c39494b592bd

SHA512
c5ede35079bb28d664454fee90cfb0633d50260e4133424171d900382b721022683d338bf09158f9774f86441eed49f0873e9e88b63f54371d5e6702f992e4a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0c32739396b991db36ebb2ca6aa0970

SHA1
0757971067be1aa9f1f9a36a2bf919fb01f11254

SHA256
2d7d8248e28ac3fc641a07f652ecb203a8cd6d12c1ab4fa5b5ad38c3a76c3e79

SHA512
27706fab1cdb111c587b2bc13409f9461d998838e47eb551b2d93e723db07e6a1b7125268bdc6061f60f25b5cbd7fbc8696ba118202fe1c6bea4d90f0335ac3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cac42a44db39321b504d78ece36b6a5

SHA1
231ffebd58d180753dbc25989bc7fbae9b8389cf

SHA256
767d74b17c54a3947df2336a4c8f1fe3d1581b28a476be84b5039cad0a577bb1

SHA512
6ae8bcd77bd1713ba007744398f800c0f4f3b9998179b594ca13788c75aeec0d785d58d8335307c1170d7d947f264107923b7d1f4a79e1c2abd181e7f4e72326

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd16dee1893f977a9a5944fbc2a8eb45

SHA1
61ce5ffa876a823b7c072cbe0af20cf8a88e4a35

SHA256
6eb7be349ec1dc7b31f8e2f93002e21abd2585a20ceadba430aa656de181b2db

SHA512
8463efb6f28d1bc8761b629f234b09b2cbb97a356394f41e66e4b8d9caaf4f36680391d74c546168bdd7b9d6cd872c9e1b15dc4ba38d5ccd87800f2d1fda6401

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2105adf1e6cdb0607cc3be10224b2203

SHA1
06b2998eec463063a28fd504dae53e478dcee262

SHA256
3ff5bd9cdb93521d7cacd1c153fdfac1127ca30c2a10091a9b0ab64dccdf2361

SHA512
62194c95853d7ffe737758c9bcb3478a12dc059ae1d3bab398e7f59d52f1a207563d6447a0eb2af67b1f59a5e92c407b66ea375999da20b77bb1cc13f17b34d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5c30c59076596ddc31db105070fdedd

SHA1
b8a99eb32eb624191695a943638d2650bdaeb2c1

SHA256
bca2d878ae7e326f2b3679161103998b55731caf4f8d365c11b19765509e9082

SHA512
5d4e469e288988c9208583dd9df5a8e562855a695af88061d301ecacb1343bcaa1bf2a7e395adaf36897f2fdc7afb4fb08afa547c3de81c4e7bf52239837f08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B2E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B60.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe

Filesize
103KB

MD5
87b6ab47f70d56d18dad9fd98bad17f8

SHA1
be2d15ac63a0ea7870943db65623a4510026c627

SHA256
c1427682593f67ebe068dc5d9fb3b66b1915408bcf2e64bf599f86480f15cdcb

SHA512
54bdf53a29fe12fe551233e86de6c6c638a021876f4cde8d4353acbbaf8212dabe3d1fbed3fbefad4cbc0bc2719257526a16e52a662f4725c9c4ced2682ec6a5

Download Submit
\Program Files (x86)\Razer\RobloxChromaRGBMod\unins000.exe

Filesize
2.5MB

MD5
7439325b86388948df0025bb6f55149c

SHA1
1a584d2837b993a219c8198e5500a6d7d195ce4a

SHA256
338d81362c4aca3227e55d9f789f52b61a329ac3ed842b77da856c8e595cc2a6

SHA512
c6d9a2dd475a8ffbfd2bad895796024fa5dea7543bfecc6b2ed69a94fc34bd42a5494103a2155c6c15eb51bb63c9740d769ef6a76c7f81fe6f19e785b3b44bc0

Download Submit
\Users\Admin\AppData\Local\Temp\is-I02LV.tmp\RobloxChromaRGBModSetup.tmp

Filesize
2.5MB

MD5
5cf3c3207a7d76e3caea8380a1764290

SHA1
10dd78bfecc481d9226abc005763de22796c1bb8

SHA256
6b137f95890783fbd7255e8872b7236e1a5e9bdb319cda508ff94b36abdd0bd7

SHA512
a4c5ad5fef2a637809ff610fb9127ce86a94f0ae930c9ccaf4dca01813001f0d7dc899089a73b79da925e87b9d1d76bdd4fce6d675f37def4b867019b0899b62

Download Submit
memory/2112-282-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2112-10-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2112-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2112-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2704-281-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2704-12-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2704-11-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2704-8-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download